System for assuming and maintaining secure remote control of an aircraft

ABSTRACT

A method is disclosed for assuming and maintaining secure remote control of and aircraft in the event of an attack upon, or incapacity of the pilot of the aircraft. The method includes the following steps:
         (a) providing a secure transmission link by and between first transmitting and receiving means (“first T/R means”) on an aircraft to be controlled and second transmitting and receiving means (“second T/R means”) at a location remote from the aircraft, thereby permitting secure communication between the aircraft and the remote location;   (b) transmitting a command between the aircraft and the remote location for interrupting pilot control of the aircraft and initiating remote control of the aircraft;   (c) transmitting flight data from the aircraft to the remote location via the transmission link;   (d) transmitting control data from the remote location to the aircraft via the transmission link; and   (e) maintaining remote control of the aircraft until the need for remote control has ended or the aircraft has landed safely.

CROSS-REFERENCE TO RELATED APPLICATION

This application is related to, and claims priority from, U.S.Provisional Application No. 60/342,439, filed Dec. 21, 2001, by JeffreyA. Matos.

BACKGROUND OF THE INVENTION

The present invention relates to a method and apparatus for assuming andmaintaining secure remote control of an aircraft in the event of anintended, attempted or actual attack upon, or incapacity of, thepilot(s) of the aircraft. As is well known, terrorists and hijackerssometimes attempt to assume control of an aircraft by intimidatingeither the passengers and/or the crew. Once the attacker (terrorist orhijacker) takes control of an aircraft, he or she may cause it to fly toan inappropriate destination or may even cause the aircraft to crashland.

Up to now, there has been no way for personnel on the ground to assistin bringing the aircraft down for a safe landing at a desired location.

SUMMARY OF THE INVENTION

It is a principal object of the present invention to provide a methodand apparatus (i.e. a system) which enables personnel outside of anaircraft to assume control of the aircraft under certain specifiedcircumstances.

It is a further object of the present invention to provide a system forcontrolling an aircraft from a remote location outside the aircraftwhich is secure and safe from interference or hacking by an unauthorizedperson.

These objects, as well as further objects which will become apparentfrom the discussion which follows, are achieved, in accordance with thepresent invention by a method comprising the steps of:

-   -   (a) providing a secure transmission link by and between first        transmitting and receiving means (“first T/R means”) on an        aircraft to be controlled and second transmitting and receiving        means (“second T/R means”) at a location remote from the        aircraft, thereby permitting secure communication between the        aircraft and the remote location;    -   (b) transmitting a command between the aircraft and the remote        location for interrupting pilot control of the aircraft and        initiating remote control of the aircraft;    -   (c) transmitting flight data from the aircraft to the remote        location via the transmission link;    -   (d) transmitting control data from the remote location to the        aircraft via the transmission link; and    -   (e) maintaining remote control of the aircraft until the need        for remote control has ended or the aircraft has landed safely.

In a preferred embodiment of the invention an authorized person, such asthe pilot, may initiate the transmission of the command by pressing abutton in the cockpit, by speaking a voice command or by speaking acertain word or words, such as “Help!” In the latter case, the word(s)may be changed from time to time, for example to one or more specialcode words, to prevent unauthorized issuance of the command by anunauthorized person.

Advantageously the method includes the step of determining whether thevoice command is actually spoken by one of the authorized persons (e.g.by known voice identification techniques) and then responding to thisvoice command only if it is indeed spoken by such an authorized person.

Alternatively or in addition, the pilot may initiate the transmission ofthe command by inputting a certain alphanumeric code by means of acockpit input device, such as the transponder code selector. As in thecase of the special word(s), the code may be changed from time to time.

Alternatively, or in addition, the command to initiate remote control ofthe aircraft can be sourced off-site of the aircraft. In one scenario,the transmission of the command can be initiated off-site of theaircraft (e.g. at the air traffic control) when requested by the pilot.In another scenario, the transmission of the command is initiated whenair traffic control, or another monitoring unit, suspects that a pilotis unable to properly control the aircraft. For example, the command maybe issued by air traffic control when the aircraft deviates from anexpected or authorized flight path.

Alternatively, or in addition, audio or video in the cockpit orpassenger compartment of the aircraft may be transmitted to the remotelocation via the first and second T/R means. In this case thetransmission of the command may be initiated when such sounds or videoindicate that the pilot(s) is/are unable to properly control theaircraft, for example because the aircraft has been attacked by one ormore hijackers.

In another scenario a second aircraft is scrambled and caused to flywithin the vicinity of the aircraft to be controlled (hereinafter “firstaircraft”) to investigate a suspected or perceived problem. In this casethe transmission of the take-over command may be initiated when thesecond aircraft informs the remote location of an irregularity or couldbe initiated directly by the second aircraft.

In the case where a second aircraft flies in the vicinity of the firstaircraft, the second aircraft may have third transmitting and receivingmeans (third T/R means) for communicating with the second T/R means atthe remote location and fourth transmitting and receiving means (fourthT/R means) for communicating with the first T/R means on the firstaircraft. This gives rise to a number of advantages:

In one embodiment of the invention, the first T/R means on the firstaircraft may include means for transmitting and receiving preferentiallyin the direction of the second aircraft and/or the fourth T/R means onthe second aircraft may include means for transmitting and receivingpreferentially in the direction of the first aircraft. This enablessecure communication between these two aircraft which cannot beintercepted or accessed by a receiver or transmitter on the ground.

For example, the directional transmitting and receiving means on eachaircraft may include a directional antenna for RF transmission or,alternatively, laser, infra-red or even acoustic transmitters andreceivers.

According to a particular feature of the present invention, the flightdata transmitted to the remote location and the control data transmittedto the first aircraft are encrypted using at least one encryption key.In this case the encryption key(s) is/are preferably provided to theaircraft and to the remote location prior to each flight of theaircraft. The key(s) may be updated during each flight, if desired, byproviding updated versions to both the aircraft and the remote locationduring the flight of the aircraft.

For maximum security one or more initial encryption key(s) is/areprovided to the aircraft while at an airport prior to take-off for theflight. The key(s) may be generated at the airport and provided fromthere to both the aircraft and to the remote location.

Alternatively, the initial encryption key(s) may be generated on theaircraft and provided to the remote location, or generated at the remotelocation and provided to the aircraft.

The initial and subsequent encryption key(s) may be stored on at leastone storage medium, and the storage medium provided to at least one ofthe aircraft and the remote location.

According to a particularly advantageous embodiment of the presentinvention, a satellite is located in orbit above the earth. Thissatellite has fifth transmitting and receiving means (fifth T/R means)for communicating with the first T/R means on the aircraft and sixthtransmitting and receiving means (sixth T/R means) for communicatingwith the second T/R means at the remote location, and is thus able torelay communications between the aircraft and the remote location.

In the case where the flight data transmitted to the remote location andthe control data transmitted to the aircraft are encrypted using atleast one encryption key, the system may cause transmission of one ormore encryption key(s) from the satellite (or another satellite) to theaircraft and to the remote location prior to or during the flight of theaircraft.

Advantageously, the first T/R means on the aircraft includes adirectional antenna with a radiation and reception pattern directedupwardly only, with the antenna directing communication signals to andfrom the fifth T/R means on the satellite and not toward the ground. Inaddition, the second T/R means at the remote location and the sixth T/Rmeans on the satellite may communicate with each other via a highlydirectional beam such as a laser beam, RF or infra-red beam. Thisarrangement also avoids interception of or access to any transmissionsby a terrorist or other unauthorized person on the ground.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is an overview of one embodiment of the system according to theinvention which includes a terrestrial remote control center, aterrestrial repeater network and an aircraft.

FIG. 1B is an overview of one embodiment of the system according to theinvention which includes a terrestrial remote control center, asatellite-based repeater and an aircraft.

FIG. 2 shows one means sharing the encryption key, utilizing afreestanding encryption source, and transmission of the encryptionkey(s) to both an aircraft and to a remote control center.

FIG. 3 shows another means of sharing the encryption key, utilizing asource aboard the aircraft, and with its transmission to a remotecontrol center via a local ground terminal.

FIG. 4 shows another means of sharing the encryption key utilizing asource at the remote control center, and with its transmission to theaircraft via a local ground terminal.

FIG. 5 shows another means of sharing the encryption key utilizing asource aboard the aircraft, and with its transmission to a remotecontrol center via satellite.

FIG. 6 shows another means of sharing the encryption key utilizing asource at the remote control center, and with its transmission to theaircraft via satellite.

FIG. 7 shows another means of sharing the encryption key utilizing asource aboard a satellite, and with its transmission to both an aircraftand to a remote control center.

FIG. 8 is an overview of another embodiment of the system according tothe invention which includes a terrestrial remote control center, asatellite repeater network and an aircraft.

FIG. 9A is an overview of another embodiment of the system according tothe invention which includes a controlled aircraft, an airborne remotecontrol center aboard a second aircraft, and means for highlydirectional communication between the controlled aircraft and the secondaircraft.

FIG. 9B is an overview of another embodiment of the system according tothe invention which includes a controlled aircraft, an airborne remotecontrol center aboard a second aircraft, a satellite which relayscommunication between the two aircraft, and means on both aircraft forhighly directional communication between the aircraft and the satellite.

FIG. 9C is an overview of another embodiment of the system according tothe invention which includes a controlled aircraft, a second aircraftwith an onboard signal repeater, highly directional means forcommunicating between the controlled aircraft and the second aircraft,and a terrestrial remote control center with highly directional meansfor communication with the signal repeater aboard the second aircraft.

FIG. 9D is an overview of another embodiment of the system according tothe invention which includes a controlled aircraft, a second aircraftwith an onboard signal repeater, highly directional means forcommunicating between the controlled aircraft and the second aircraft, asatellite which relays communication between the second aircraft and aterrestrial remote control center, highly directional means forcommunication between the second aircraft and the satellite, and aterrestrial remote control center with highly directional means forcommunication with the satellite.

FIG. 10A shows the inputs and outputs to a microprocessor aboard thecontrolled aircraft which forms a part of the system according to theinvention.

FIG. 10B shows two types of encryption key equipment aboard thecontrolled aircraft.

FIG. 10C is a flow diagram showing the operation of the microprocessorof FIG. 10A.

FIG. 10D shows sources of Pilot Initiated Takeover Commands includingpushbuttons, microphones and keyboards, and pilot initiated takeovercommand processing.

FIG. 11A shows the inputs and outputs to a second microprocessor aboardthe controlled aircraft which performs encryption assessment forincoming commands.

FIG. 11B is a block diagram of the controlled aircraft receiver andsignal routing from the receiver.

FIG. 11C is a flow diagram showing the method of encryption assessmentfor incoming commands to the controlled aircraft as carried out by themicroprocessor of FIG. 11A.

FIG. 12 is a block diagram of the controlled aircraft transmitter andits inputs.

FIG. 13 is a block diagram of the Master Aircraft Control, its inputsfrom the pilot, from the remote control and from the autopilot, and itsoutput to controllable items on the aircraft.

FIG. 14 is a block diagram of decryption and decoding aboard thecontrolled aircraft.

FIG. 15 is a block diagram of encryption and encoding aboard thecontrolled aircraft.

FIG. 16A shows the inputs and outputs to a microprocessor in a remotecontrol center which performs encryption assessment of incoming signalsfrom a controlled aircraft.

FIG. 16B is a block diagram of the remote control center receiver andsignal routing from the receiver.

FIG. 16C is a flow diagram showing the method of encryption assessmentfor incoming signals from a controlled aircraft, as carried out by themicroprocessor of FIG. 16A.

FIG. 17 is a block diagram of the remote control center transmitter andits inputs.

FIG. 18 is a block diagram of decryption and decoding at the remotecontrol center.

FIG. 19 is a block diagram of encryption and encoding at the remotecontrol center.

FIG. 20A is a block diagram, including a microprocessor, of a systemaboard the controlled aircraft for detection of either deviation ofaircraft position from that predicted based on previously filed flightplan(s) or significant deviation of an updated flight plan frompreviously filed flight plan(s).

FIG. 20B is a flow diagram showing the operation of the microprocessorused in the system of FIG. 20A.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Contents

-   1. System Overview    -   1.1 System with Terrestrial Repeater Network    -   1.2 System with Satellite Links    -   1.3 Additional Features of the Invention-   2. Encryption Key Loading    -   2.1 Overview of Encryption Key Loading Options    -   2.2 Ground-based, Freestanding Encryption Source    -   2.3 Aircraft Source; Ground Transmission    -   2.4 Terrestrial Remote Control Center Source; Ground        Transmission    -   2.5 Aircraft Source; Satellite Transmission    -   2.6 Terrestrial Remote Control Center Source; Satellite        Transmission    -   2.7 Satellite Source-   3. Additional Encryption Measures    -   3.1 Two or More Different Sources/Routes for Encryption Key        Transmission    -   3.2 Encryption Key Changes During the Flight        -   3.2.1 Nested Encryption Keys        -   3.2.2 Encryption Directing Unit-   4. Use of Highly Directional Transmitting and Receiving Means to    Prevent Access by Unauthorized Person    -   4.1 Highly Directional Means Between Controlled Aircraft and        Satellite, and Between Terrestrial Remote Control Center and        Satellite    -   4.2 Highly Directional Means Using an Intercepting Aircraft        -   4.2.1 Airborne Remote Control Center is Used to Control the            Intercepted Aircraft        -   4.2.1.1 Direct Link Between Intercepting and Controlled            Aircraft        -   4.2.1.2 Link Between Intercepting and Controlled Aircraft is            via Satellite        -   4.2.2 Transmission of Encryption Key to Intercepting            Aircraft        -   4.2.3 Terrestrial Remote Control Center is Used to Control            the Intercepted Aircraft        -   4.2.3.1 Direct Link Between Terrestrial Remote Control            Center and Intercepting Aircraft        -   4.2.3.2 Link Between Terrestrial Remote Control Center and            Intercepting Aircraft is via Satellite    -   4.3 Summary of In-flight Control Options-   5. Source of Takeover Command for the Controlled Aircraft    -   5.1 Pilot Initiated Takeover, PITO    -   5.2 Remote Initiated Takeover, RITO-   6. Operational and Flow Diagrams    -   6.1 Master Aircraft Control        -   6.1.1 MAC State Transition Rules        -   6.1.1.1 Transitions from MAC State 1        -   6.1.1.1.1 Pilot Initiated Takeover        -   6.1.1.1.2 Remote Initiated Takeover        -   6.1.1.1.3 Other Transitions from MAC State 1        -   6.1.1.2 Transitions from MAC State 2        -   6.1.1.2.1 Transition from MAC State 2 to MAC State 3        -   6.1.1.2.2 Transition from MAC State 2 to MAC State 1, an            Optional System Feature        -   6.1.1.2.3 Transition from MAC State 2 to MAC State 4        -   6.1.1.3 Transitions from MAC State 3        -   6.1.1.4 Transitions from MAC State 4    -   6.2 Source of Master Aircraft Control State-Setting Inputs        -   6.2.1 State-Setting Microprocessor, Its Inputs and Its            Outputs        -   6.2.1.1 State Setting Microprocessor        -   6.2.1.2 State Setting Microprocessor Inputs        -   6.2.1.2.1 Source and Analysis of PITO Signals        -   6.2.1.3 State Setting Microprocessor Outputs        -   6.2.2 State-Setting Flow Diagram        -   6.2.2.1 Sequence Which Results in MAC State 1        -   6.2.2.2 Sequences Which Result in MAC State 2 or MAC State 3        -   6.2.2.2.1 PITO        -   6.2.2.2.1.1 PITO Verification        -   6.2.2.2.1.2 Handshaking Routine, Pentagon Nomenclature,            Backup Autopilot in the Event of Handshake Interruption        -   6.2.2.2.1.3 Encryption Check, Repeat Cycling Through            Handshake Check and Encryption Check, Backup Autopilot in            the Event of Encryption Error        -   6.2.2.2.1.4 Final Decision to “SET MAC=2” versus “SET            MAC=3”: The Anti-Hunting Algorithm        -   6.2.2.2.2 Remote Initiated MAC State Commands        -   6.2.2.2.2.1 RITO        -   6.2.2.2.2.2 Remote Commands to Set MAC=3 or MAC=1        -   6.2.2.2.3 Alternate Possible Flow Diagrams        -   6.2.2.3 MAC State 4    -   6.3 Controlled Aircraft Receiver and Decoder        -   6.3.1 Aircraft Receiver        -   6.3.1.1 Decryption and Decoding of Signals Received by the            Aircraft        -   6.3.1.2 Aircraft Signal Router Output        -   6.3.1.2.1 Aircraft Receiver Control Signals        -   6.3.1.2.2 Aircraft Transmitter Control Signals        -   6.3.1.2.3 Aircraft Memory        -   6.3.1.2.4 Handshake Signals        -   6.3.1.2.4.1 Handshake Routine with Communication            Interruption Signal        -   6.3.1.2.4.2 Handshake Routines of Still Greater Complexity        -   6.3.1.2.5 Commands to Change the MAC State        -   6.3.1.2.6 Encryption Keys Obtained via the Aircraft Receiver        -   6.3.1.3 Aircraft Receiver Encryption Assessment    -   6.4 Controlled Aircraft Encoder and Transmitter    -   6.5 Remote Control Center Receiver and Decoder        -   6.5.1 Remote Control Center Receiver        -   6.5.1.1 Decryption and Decoding of Signals Received by the            RCC        -   6.5.1.2 Aircraft Signal Router Output        -   6.5.1.3 Remote Control Center Receiver Data Encryption            Assessment    -   6.6 RCC Encoder, Transmitter and Encryption Source    -   6.7 Flight Path Deviation Detection

The preferred embodiments of the present invention will now be describedwith reference to FIGS. 1-20 of the drawings. Identical elements in thevarious figures are identified with the same reference numerals.

1. System Overview

1.1 System with Terrestrial Repeater Network

FIG. 1A shows an aircraft 100 controlled from a terrestrial remotecontrol center or “TRCC” 102. Bi-directional flow of encryptedinformation occurs between the aircraft and the TRCC. The aircraft sendsinformation such as the throttle, elevator, rudder, flap, aileron andlanding gear positions, aircraft location and velocity, remaining fuelin each tank, audio and video information from both the cockpit and thecabin. Clearly, other information about the aircraft, such as thatsupplied to the aircraft flight recorder, may also be transmitted. TheTRCC 102 receives the information, either directly or via one or morecomponents of a terrestrial repeater network 104. Flight controllingpersonnel at the TRCC 102 receive the information and use it to: (a)make a decision about whether to take control over a flight; and (b)pilot the aircraft, once they have made the decision to take control.The flight controlling personnel control the aircraft 100 by sendingcontrol signals which control each of the aircraft functions that wouldordinarily be controlled by the aircraft-based pilot, such as thethrottles, the elevator, the rudder, the flaps, the ailerons and thelanding gear. The flight controller should have the ability to controleach and every aspect of the aircraft which is required for a safeflight and for a safe landing. The TRCC 102 may be located on land or atsea. The terrestrial remote control center 102 transmits theinformation, either directly or via one or more components of aterrestrial repeater network 104. Information may pass between TRCC 102and the repeater network by wireless communication means, as is shown inthe figure, or by direct wire linkage. Similarly, information may passbetween components of the repeater network 104 by wireless means, as isshown in the figure, or by direct wire linkage. Any of the components ofthe terrestrial repeater network may be located on land or at sea.

1.2 System with Satellite Links

FIG. 1B shows an aircraft 100 controlled by a TRCC 102, with signalsbetween the aircraft and the TRCC relayed by a satellite 110. Possibleadvantages of the satellite system shown in FIG. 1B, over the systemwith terrestrial repeater stations include:

-   -   (a) elimination of ground-based communications links to minimize        the chance of unauthorized reception or transmission of flight        related information;    -   (b) enhanced ability to transmit to and receive from aircraft        100, when the aircraft is not over or near land upon which a        ground station is or could be located; and,    -   (c) possible cost savings.        Rather than a single satellite, there may be a network of        satellites, as shown in FIG. 8. Furthermore, a hybrid system may        contain both terrestrial repeater units (as shown in FIG. 1A)        and satellite-based repeater units (as shown in FIG. 8).        1.3 Additional Features of the Invention

Additional features of the invention include:

-   -   (a) encryption of all transmitted information;    -   (b) multiple options for distributing the encryption key to        authorized users;    -   (c) highly directional means of transmitting information to        minimize the chance of unauthorized reception or transmission of        flight related information;    -   (d) optional airborne remote control center or “ARCC” to        minimize the chance of unauthorized reception or transmission of        flight related information;    -   (e) two possible modes of initiation of remote control        operation: (i) by the pilot, and (ii) by a person in a remote        control center (“remote control center” refers to either TRRC or        ARCC); and,    -   (f) backup autopilot/autothruster control, in the event of        communication failure or interruption between the controlled        aircraft and the remote control center “RCC”.

These features will now be described in detail.

2. Encryption Key Loading

2.1 Overview of Encryption Key Loading Options

In order to maximize the security of communications between the TRCC 102and the controlled aircraft 100, the information passing between them isencrypted. Various means of configuring the location of the encryptionkey source, and the route by which the key is conveyed to the aircraftand the TRCC are listed below in Table 1, and discussed following theTable:

TABLE 1 Encryption Key Loading Options Source Sent from Source to: FIG.Ground Based, Aircraft, and TRCC* 2 Free Standing Aircraft TRCC viaLocal Ground Terminal 3 TRCC Aircraft via Local 4 Ground TerminalAircraft TRCC via Satellite 5 TRCC Aircraft via Satellite 6 SatelliteAircraft, and TRCC 7 *Transmission from Local Ground Terminal to TRCCmay be via Terrestrial Network, via Satellite, or both

In the text above, and in the discussion that follows, it will beassumed that what is referred to as the “encryption key” or the “key”will contain the information necessary to perform encryption of outgoingsignals (i.e. signals to be transmitted) and decryption of incomingsignals (i.e. signals that have been received). It will be understood,however, that the key used for decryption may be different from thatused for encryption. During or after encryption key loading, thedecryption key may be derived from the encryption key or the encryptionkey may be derived from the decryption key; or two keys, one forencryption and one for decryption, may be provided at the same time, orat different times, and in the same or in a different manner. Similarly,the terms “encryption source,” “encryption key source,” “encryption keygenerator” and “encryption key reading device” refer to sources of bothencryption and decryption information.

Any other use of the words “encryption,” “encrypted” or “encrypt” isintended to have the narrow and specific meaning of the word, i.e. theopposite of the words “decryption,” “decrypted” and “decrypt.”

2.2 Ground-based, Freestanding Encryption Source

One means of providing the encryption key to the TRCC 102 and aircraft100 is shown in FIG. 2. A freestanding encryption key source 106A, not apart of either aircraft 100 or TRCC 102 generates the encryption key.Encryption key source 106A may be located near where the aircraft isparked immediately prior to its departure, or at a more distant locationin or near the airport. After it is generated, the key is transferred toboth the aircraft and to a local ground terminal 108. The local groundterminal 108 may be located near where the aircraft is parkedimmediately prior to its departure, or at a more distant location. Thekey is transferred from the local ground terminal to the TRCC 102. Thetransfer of the key from the encryption source 106A to both the aircraft100 and terminal 108 may be either by:

-   -   (a) direct wire link;    -   (b) optical, infrared or ultraviolet link (e.g. via laser);    -   (c) a very short range radiofrequency link; or,    -   (d) a computer diskette, a CD, a DVD, an optical disk, zip drive        or other portable data storage medium, which is erased after        being read once.

The means for transfer of the key to the aircraft need not be identicalto the means for transfer of the key to the local ground terminal. Thetransfer of the encryption key from terminal 108 to TRCC 102 may be bydirect wire linkage, by wireless means, or by a hybrid system which usesboth direct wire and wireless means, and may or may not include one ormore repeater units.

2.3 Aircraft Source; Ground Transmission

FIG. 3 shows a variation in the location of the source which creates theencryption key. In this case, encryption key source 106B is located onthe aircraft 100. The linkage of encryption source 106B to the localground terminal 108 may be via any of the means (a) through (d)discussed in the case of the freestanding encryption source 106A in FIG.2. Furthermore, the link between encryption source 106B and groundterminal 108 may or may not utilize the aircraft communication system.The transfer of the encryption key from terminal 108 to TRCC 102 may beby direct wire linkage, or by wireless means, and may or may not involverepeater units.

2.4 Terrestrial Remote Control Center Source; Ground Transmission

FIG. 4 shows a configuration in which the encryption key source 106C islocated within the TRCC 102. The key is transmitted to the local groundterminal by either a direct wire linkage, by wireless means, or by ahybrid system. The link from TRCC 102 to local ground terminal 108 mayor may not involve repeater units. The key is transmitted from the localground terminal 108 to the aircraft 100 by any of the means (a) through(d) discussed in the case of the freestanding encryption source 106A inFIG. 2.

2.5 Aircraft Source; Satellite Transmission

FIG. 5 shows a configuration in which the encryption key source 106B islocated aboard aircraft 100. The encryption key is transmitted from theaircraft to TRCC 102 via satellite 110. The link between aircraft 100and the TRCC may be via a single satellite, or via a system ofsatellites such that a signal is relayed from one satellite to anotheron one or more occasions as it passes between the aircraft and TRCC 102.

It would be possible to have a more complex version of the configurationshown in FIG. 5 which includes both (a) a freestanding ground-based unitwhich receives signals from satellite 110 (and is separate from TRCC102) and (b) one or more repeater units situated between thefreestanding ground-based receiving unit and TRCC 102. However, thesimpler configuration shown in FIG. 5 is more desirable; Because itcontains no across-the-ground links, it would be more difficult for anunauthorized person to gain access to, or intercept the signal in thissimpler configuration.

2.6 Terrestrial Remote Control Center Source; Satellite Transmission

FIG. 6 shows a configuration in which the encryption key source 106C islocated at the terrestrial remote control center 102. The encryption keyis transmitted from the TRCC 102 to aircraft 100 via satellite 110. Thelink between aircraft 100 and the TRCC may be via a single satellite, orvia a system of satellites.

It would be possible to have a more complex version of the configurationshown in FIG. 6 which includes both (a) a freestanding ground-based unitwhich transmits signals to satellite 110 (and is separate from TRCC 102)and (b) one or more repeater units situated between the freestandingground-based transmitting unit and TRCC 102. However, the simplerconfiguration shown in FIG. 6 is more desirable; Because it contains noacross-the-ground links, it would be more difficult for an unauthorizedperson to gain access to, or intercept the signal in this simplerconfiguration.

2.7 Satellite Source

FIG. 7 shows a configuration in which the encryption key source 106D islocated aboard a satellite 110. The encryption key is transmitted fromthe satellite to both the aircraft 100 and the TRCC 102. The linkbetween satellite 110 and each of aircraft 100 and TRCC 102 may containadditional satellites.

As indicated in the aforementioned discussion of FIG. 5, the linkbetween satellite 110 and TRCC 102 may contain a freestandingground-based receiving unit and ground based repeater units. However,the simpler configuration shown in FIG. 7 is more desirable because ofits greater resistance to signal interception.

3. Additional Encryption Measures

3.1 Two or More Different Sources/Routes for Encryption Key

Transmission

A means of further preventing an unauthorized person from obtaining theencryption key would be the use of more than one of the approacheslisted in Table 1 and shown in FIGS. 2 through 7. For example: A firstportion of the encryption key could be generated by the freestandingencryption key source 106A shown in FIG. 2, and could be transmitted toboth the aircraft and the TRCC, as is shown in that figure. A secondportion of the encryption key could be generated by the satellite basedencryption key source 106D shown in FIG. 7, and could be transmitted toboth the aircraft and the TRCC as is shown in that figure.

3.2 Encryption Key Changes During the Flight

Another means of preventing an unauthorized person from using theencryption key would be to change the key one or more times during theflight. The initial encryption key could be generated and transmittedaccording to any of the six approaches listed in Table 1. A secondencryption key could be generated at a later time and transmittedaccording to any of the aforementioned approaches, and not necessarilythe same approach as the first encryption key. The second encryption keycould thus be generated from the same or a different source as the firstencryption key, and its transmission path could be the same or differentthan the first one. The second encryption key could be generatedseconds, minutes or hours after the first one.

3.2.1 Nested Encryption Keys

The second encryption key could be transmitted from its source withoutthe key itself being encoded, or, as a further means of protection, itcould be encoded using the first encryption key.

A third, fourth and additional encryption keys could later be generated,in a similar manner to the second encryption key. Hereinafter, allencryption keys after the initial one will be referred to as “follow-upencryption keys.” These later keys could be transmitted without beingencoded, or could be encoded using one or more of the previously usedencryption keys.

3.2.2 Encryption Directing Unit

The transmission of the encryption key to the aircraft 100 and to theTRCC 102 may be controlled by a separate “encryption directing unit”which controls (a) the timing of issuance of follow-up encryption keysand/or (b) the source of the encryption key, i.e. which among elements106A, 106B, 106C or 106D generates a particular follow-up key.

4. Use of Highly Directional Transmitting and Receiving Means to PreventAccess by Unauthorized Person

4.1 Highly Directional Means Between Controlled Aircraft and Satellite,and Between Terrestrial Remote Control Center and Satellite

FIG. 8 illustrates the use of a highly directional antennae to protectagainst interception of or access to transmissions between TRCC 102 andaircraft 100. A highly directional antenna 112 aboard an aircraft 100,is used to communicate with satellite 110C which may also contain one ormore highly directional antennae as well as omnidirectional antennae. Asshown in the figure, aircraft antenna 112 communicates with satelliteantenna 111F. The aircraft directional antenna 112 preventscommunication with the aircraft by a ground-based unauthorized person,while the satellite directional antenna 111F limits unauthorized groundaccess to signals that it transmits. Each highly directional antennashould incorporate means to align the antenna (e.g. element 112) withits counterpart (e.g. element 111F).

Signals to and from satellite 110C are sent via directional antenna 111Eand may be relayed to TRCC 102 directly, or via one or more additionalsatellites, e.g. 110A and 110B as shown in FIG. 8. Each satellite maycontain one or more highly directional antennae. As shown in FIG. 8:

-   -   (a) Highly directional antenna 111E aboard satellite 110C sends        signals to and receives signals from highly directional antenna        111D aboard satellite 110B;    -   (b) Highly directional antenna 111C aboard satellite 110B sends        signals to and receives signals from highly directional antenna        111B aboard satellite 110A; and,    -   (c) Highly directional antenna 111A aboard satellite 110A sends        signals to and receives signals from highly directional antenna        113 at the TRCC 102.

Each highly directional antenna should incorporate means to align theantenna with its counterpart. Encrypted information containing thecoordinate position and altitude, and possibly also the direction, speedand flight plan of aircraft 100 may be transmitted to satellite 110C andused by it to align its antenna 111F with aircraft 100. The positioninformation may be obtained from global positioning satelliteinformation, and/or from other instruments aboard the aircraft.

The relayed signals could contain either (a) encryption keys or (b) datafrom aircraft 100 and commands used to control the flight of aircraft100. To further protect against interception of or access totransmissions between TRCC 102 and satellite 110A (or any satellite thatcommunicates with TRCC 102), the TRCC 102 should preferably be locatedat a point surrounded by a large, easily monitored area such as adesert, or at sea; since an unauthorized person attempting to transmitor receive aircraft information would need to be located near the TRCC102, because of the directional transmitting and receivingcharacteristics of the system.

4.2 Highly Directional Means Using an Intercepting Aircraft

FIGS. 9A-9D illustrate the use of an intercepting aircraft 114 to (a)form a highly secure communications link with controlled aircraft 100and (b) allow for the direct observation of aircraft 100. Theintercepting aircraft 114 contains either (a) an airborne remote controlcenter (as shown in FIGS. 9A and 9B), or (b) a signal repeating unitwhich is linked to a terrestrial remote control center (as shown inFIGS. 9C and 9D). Intercepting aircraft 114 also contains highlydirectional transmitting and receiving apparatus 118 which sends signalsto and receives signals from a second highly directional transmittingand receiving apparatus 120 aboard the controlled aircraft 100, toprevent access to signals for the remote control of aircraft 100, andthereby greatly reducing the likelihood that an unauthorized personcould transmit or receive such signals.

The flight plan for the controlled aircraft may be determined bypersonnel aboard the intercepting aircraft, and executed using airborneremote control center (ARCC) 116, as shown in FIGS. 9A and 9B.Alternatively, as shown in FIGS. 9C and 9D, the flight plan mayoriginate at a terrestrial remote control center (TRCC) and betransmitted to the intercepting aircraft 114. In the latter case, theencrypted plan may be transmitted via a ground network (as shown in FIG.9C), a satellite network (as shown in FIG. 9D), or both.

4.2.1 Airborne Remote Control Center is Used to Control the InterceptedAircraft

4.2.1.1 Direct Link Between Intercepting and Controlled Aircraft

FIG. 9A shows intercepting aircraft 114 containing an ARCC 116 andhighly directional transmitting and receiving apparatus 118A.

The ARCC contains equipment which performs the same function as that inthe TRCC 102. It receives information from aircraft 100 such as thethrottle, elevator, rudder, flap, aileron and landing gear positions,the location and velocity of aircraft 100, the remaining fuel in eachtank, and audio and video information from both the cockpit and thecabin of aircraft 100. One or more flight controlling personnel at theARCC 116 assess the aforementioned information in conjunction with otherinformation including:

-   -   (a) visual inspection of aircraft 100 and its performance;    -   (b) radar information about the position of aircraft 100 and        possibly the position of other aircraft;    -   (c) information from transponders aboard aircraft 100; and,    -   (d) information such as news of other relevant events, e.g. a        terrorist action, from terrestrial sources.

The flight controlling personnel use the information to: (a) make adecision about whether to take control over aircraft 100; and (b) pilotthe aircraft 100, once they have made the decision to take control. Theflight controlling personnel control the aircraft 100 by sending controlsignals which control each of the functions of aircraft 100 that wouldordinarily be controlled by the pilot of aircraft 100, such as thethrottles, the elevator, the rudder, the flaps, the ailerons and thelanding gear.

Highly directional transmitting and receiving apparatus 118Acommunicates with the highly directional transmitting and receivingapparatus 120A aboard the controlled aircraft 100. The signalstransmitted between apparatus 118A aboard the intercepting aircraft 114and apparatus 120A aboard the controlled aircraft 100 may be radiofrequency, optical, infrared, ultraviolet or the like. Two waytransmission of highly directional signals is symbolized by the doublearrow 122. Apparatus 118A and 120A need not necessarily point in adirection that is parallel to the line of flight of aircraft 114 and100, but they should point towards each other. The angle between eachapparatus and the aircraft on which it resides would be a controllableparameter, and means to align each highly directional apparatus would beincorporated. This would allow the altitude of aircraft 114 to begreater than or less than that of aircraft 100. Similarly, it wouldallow the intercepting aircraft 114 to be situated to the right or leftof the controlled aircraft 100, and it would allow control of aircraft100 when the line of flight of the two aircraft is not the same.

As aircraft 114 approaches aircraft 100, the power of the signalstransmitted by aircraft 100 could be reduced, thereby making remotereception of these signals by an unauthorized person more difficult;Similarly, the sensitivity of the receiver aboard aircraft 100 could bereduced, thereby making remote transmission to aircraft 100 by anunauthorized person more difficult.

4.2.1.2 Link Between Intercepting and Controlled Aircraft is viaSatellite

FIG. 9B shows a situation in which the encrypted information, which isexchanged between controlled aircraft 100 and the ARCC 116, is relayedby satellite 110D. The information is exchanged between upward orientedhighly directional transmitting and receiving apparatus 118B aboardintercepting aircraft 114 and highly directional antenna 111G aboardsatellite 110D, along path 124. Upward oriented transmitting andreceiving apparatus 120B aboard controlled aircraft 100 allows for theexchange of signals between satellite 110D, via highly directionalantenna 111H, and controlled aircraft 100 along path 126. Thus thecombination of path 124, antenna 111G, satellite 110D, antenna 111H andpath 126 in FIG. 9B is analogous to path 122 in FIG. 9A.

Each highly directional antenna should incorporate means to align theantenna with its counterpart. Encrypted information containing thecoordinate position and altitude, and possibly also the direction, speedand flight plan of intercepting aircraft 114 may be transmitted tosatellite 110D and used by it to align its antenna 111G with aircraft114. Encrypted information containing the coordinate position andaltitude, and possibly also the direction, speed and flight plan ofaircraft 100 may be transmitted to satellite 110D and used by it toalign its antenna 111H with aircraft 100. The position information maybe obtained from global positioning satellite (G.P.S.) information,and/or from other instruments aboard the aircraft.

4.2.2 Transmission of Encryption Key to Intercepting Aircraft

The encryption key or keys could be transmitted to the interceptingaircraft 114 before or after the intercepting aircraft takes off. Theencryption key could be transmitted to the intercepting aircraft:

-   -   (a) from the controlled aircraft 100, as intercepting aircraft        114 approaches controlled aircraft 100;    -   (b) from the controlled aircraft 100, via satellite, as shown in        FIG. 9B;    -   (c) directly from a satellite, analogous to that shown in FIG.        7;    -   (d) from the terrestrial remote control center, either via        terrestrial repeater network (analogous to FIG. 1A) or via one        or more satellites (analogous to FIG. 1B) or via both        terrestrial repeater network and satellite(s);    -   (e) from a freestanding encryption system, (analogous to FIG. 2,        but including additional ground transmitting apparatus and,        possibly, ground based and/or satellite based repeating units).        4.2.3 Terrestrial Remote Control Center is Used to Control the        Intercepted Aircraft

In FIGS. 9C and 9D the intercepting aircraft 114 does not contain anairborne remote control center. Aircraft 100 is controlled from theterrestrial remote control center, with data and control signals relayedvia a signal repeater 116 aboard intercepting aircraft 114.

4.2.3.1 Direct Link Between Terrestrial Remote Control Center andIntercepting Aircraft

FIG. 9C shows a method of controlling aircraft 100 in which:

-   -   (a) The aircraft 100 is controlled from a terrestrial remote        control network 103;    -   (b) Information passes between aircraft 100 and terrestrial        remote control network 103 via signal repeater 116 carried        aboard intercepting aircraft 114;    -   (c) A pair of highly directional transmitting and receiving        apparatus, 118A and 120A, is carried aboard intercepting        aircraft 114 and controlled aircraft 100 to assure restriction        of access to communications between them;    -   (d) Means to align each highly directional apparatus is        incorporated; and    -   (e) The power of the signal transmitted by aircraft 100 and the        sensitivity of the receiver aboard aircraft 100 could be reduced        as intercepting aircraft 114 approaches aircraft 100.

Terrestrial remote control network 103 includes: (a) terrestrial remotecontrol center 102 and (b) terrestrial repeater network 104, both ofwhich are shown in FIG. 1A. A highly directional antenna 113 linked tothe terrestrial network communicates with highly directional antenna118C aboard intercepting aircraft 114 via path 130. Means to align eachhighly directional antenna is incorporated. Coordinate position andaltitude, and possibly also velocity and flight plan information fromeither of the two aircraft 100 and 114 may be used in the alignment ofantennae 113 and 118C.

FIG. 9C shows a direct communications path 122 between directionalapparatus 118A and 120A. Alternatively, in a manner analogous to FIG.9B, a satellite and upwardly oriented transmitting and receivingapparatus aboard each of the aircraft for communication with asatellite, may be substituted for the direct path 122 between the twoaircraft.

4.2.3.2 Link Between Terrestrial Remote Control Center and InterceptingAircraft is via Satellite

FIG. 9D shows a method of controlling aircraft 100 which is similar tothat shown in 9C, except that a satellite, rather than a terrestrialrepeater network, carries the communications between the TRCC and thesignal repeater 116 aboard intercepting aircraft 114. Thus, thesatellite 110E and its associated communication paths 132 and 134 (shownin FIG. 9D), replace communications path 130 (shown in FIG. 9C). Thesatellite would obviate the need for a terrestrial repeater network, andhence the terrestrial remote control network 103 of FIG. 9C is replacedby the terrestrial remote control center 102 of FIG. 9D.

Satellite 110E contains a highly directional antenna 111J forcommunicating with another highly directional antenna 113 at theterrestrial remote control center 102. It also contains a highlydirectional antenna 111K for communicating with another highlydirectional antenna 118B on intercepting aircraft 114. Each highlydirectional antenna incorporates means for properly aligning theantenna. Coordinate position and altitude, and possibly also velocityand flight plan information from either of the two aircraft 100 and 114may be used in the alignment of antennae 111K and 118B.

Referring again to FIG. 9D, a network of satellites could be substitutedfor the single satellite 110E.

In an alternative configuration, a hybrid system, consisting of bothterrestrial and satellite-based repeater units could be interposedbetween terrestrial remote control center 102 and intercepting aircraft114.

FIG. 9D shows a direct communications path 122 between directionalapparatus 118A and 120A. Alternatively, in a manner analogous to FIG.9B, a satellite and upwardly oriented transmitting and receivingapparatus aboard each of the aircraft, may be substituted for the directpath between the two aircraft.

4.3 Summary of In-flight Control Options

Table 2, below, summarizes the options for the control of aircraft 100,and indicates which figure shows each option. In the table, the “source”refers to the center from where the aircraft is controlled, i.e. eitherthe terrestrial (TRCC) or the airborne (ARCC) remote control center. The“route” refers to the intervening components, if any, that signalstraverse between the source and the controlled aircraft.

TABLE 2 In-flight Control Options Source: Route: FIG.: TRCC TerrestrialNetwork 1A TRCC Satellite 1B, 8 ARCC Direct 9A ARCC Satellite 9B TRCCInterceptor Aircraft 9C TRCC Satellite and Interceptor Aircraft 9D5. Source of Takeover Command for the Controlled Aircraft5.1 Pilot Initiated Takeover, PITOThe initiation of flight takeover may be either at the request of thepilot or other authorized personnel aboard aircraft 100. This situationis referred to as ‘Pilot Initiated Takeover,’ or PITO in the text whichfollows.5.2 Remote Initiated Takeover, RITO

Alternatively, the initiation of flight takeover may come from a personnot aboard aircraft 100, in which case it is referred to as “RemoteInitiated Takeover,” or RITO in the text which follows. RITO may beinitiated by personnel aboard intercepting aircraft 114, or by groundbased personnel. The advantage of restricting RITO to airborne personnelis that it greatly limits the ability of an unauthorized person to gaincontrol of aircraft 100. The disadvantage of restricting RITO toairborne personnel is the delay inherent in both dispatching anintercepting aircraft, and in having it reach the aircraft to becontrolled 100.

6. Operational and Flow Diagrams

6.1 Master Aircraft Control

FIG. 13 shows the Master Aircraft Control System.

At all times, each controllable item, e.g. the throttles, the elevator,the rudder, the flaps, the ailerons and the landing gear may becontrolled by one of three sources of control:

-   -   (a) the pilot;    -   (b) the terrestrial or airborne remote control center; or    -   (c) a backup autopilot.

Alternatively (i.e. post-landing), control of an item may be restrictedfrom all three of the aforementioned sources. Table 3, below, summarizesthe four possible states of the master aircraft control 200.

TABLE 3 Master Aircraft Control States Master Aircraft Control StateAircraft Status: 1 Aircraft controlled by pilot 2 Aircraft controlled byTRCC or ARCC 3 Aircraft controlled by autopilot 4 Post Landing:additional restrictions

Referring again to FIG. 13, Master Aircraft Control or “MAC” 200 isessentially a four position selector switch for each of the systemswhich control flight of the aircraft. That is, depending on which offour states the MAC 200 is in, any particular controllable item (such asthe throttles, for example) would be controlled:

-   -   (a) by signals 202 from the on-board pilot; or,    -   (b) by signals 204 sent from a remote control center (either        TRCC or ARCC); or,    -   (c) by autopilot control signals 206; or,    -   (d) would be locked out (e.g. the throttles placed in the closed        position, post landing).

Besides the three sets of aircraft system control signals 202, 204 and206 which input the MAC 200, there are four state-setting inputs 208A,208B, 208C and 208D to the MAC:

-   -   (a) An input signal at 208A causes MAC 200 to enter MAC State 1.    -   (b) An input signal at 208B causes MAC 200 to enter MAC State 2.    -   (c) An input signal at 208C causes MAC 200 to enter MAC State 3.    -   (d) An input signal at 208D causes MAC 200 to enter MAC State 4.

The input signals at 208A-D come from the microprocessor shown in FIG.10A and discussed below. The logic used by this microprocessor is shownin FIG. 10C and discussed below.

6.1.1 MAC State Transition Rules

The rules for transitions between MAC states are summarized below inTable 4:

TABLE 4 Rules for Transitions Between MAC States Associated with RemoteControlled Flight From To MAC State: MAC State: Transition Initiated By:1 2 PITO or RITO 2 3 Communications Failure 3 2 CommunicationsRestoration 2 1 Failure of Both Communications and Autopilot 3 1 Failureof Both Communications and Autopilot Any 4 Aircraft Landing 4 1 Loadingof New Encryption Codes6.1.1.1 Transitions from MAC State 1

The transition from MAC State 1 (on-board pilot controlled flight) toMAC State 2 (flight controlled by TRCC or ARCC) may be initiated by theon-board pilot (PITO) or by personnel in a remote control center (RITO).In highly unusual circumstances, discussed below in Section 6.1.1.2.2,there may be a transition from MAC State 2 back to MAC State 1 followinga failure of both the communications system and the autopilot.

6.1.1.1.1 Pilot Initiated Takeover

If the pilot and/or any other designated on-board flight personnelbecome aware of an actual or an intended hijacking or terrorist actioninvolving aircraft 100, they may initiate a PITO (Pilot InitiatedTakeover) command. The act of initiating the command may entail any ofthe following:

-   -   (a) One or more of the on-board personnel of aircraft 100 would        press one or more buttons, one or more times. Each designated        button pressing person might press the same or a different        button, and might press it the same or a different number of        times. An alternative to button press is touching one or more        touch-sensitive screens or other surfaces.    -   (b) One or more of the on-board personnel of aircraft 100 would        speak a certain word or combination of words. The word or words        for any one such person need not be the same as the word or        words for any other such person. Voice recognition software (as        is known in the art) running on a microprocessor would be used        to distinguish the appropriate word or words and the appropriate        speaker of the word or words.    -   (c) One or more of the on-board personnel of aircraft 100 would        input an alphanumeric code by means of one or more input devices        aboard the aircraft. The code and the inputting device need not        be the same for each inputting person.    -   (d) Combinations of (a), (b) and/or (c), immediately above.

In addition, any aspect of any of the aforementioned could be changedfrom time to time, e.g. the button(s) to be pressed, the word(s) to bespoken, the person(s) to do the speaking, etc.

PITO-related hardware and software is discussed below in Section6.2.1.2.1 and shown in FIG. 10D.

6.1.1.1.2 Remote Initiated Takeover

If the Air Traffic Controller, or any other designated person or personsbecome aware that an aircraft is or may be subject to a possible oractual hijacking or terrorist action, they may initiate a RITO (RemoteInitiated Takeover Command). Such awareness may be based on:

-   -   (a) inappropriate action of the pilot or of the aircraft 100;    -   (b) unauthorized and/or inappropriate deviation of the aircraft        from a previously-filed flight plan;    -   (c) a pilot not properly responding to requests (either        terrestrial or air-based) to alter his flight plan;    -   (d) aircraft 100 over-flying a restricted airspace;    -   (e) the monitoring of audio from on-board aircraft 100        indicating that the pilot is not able to properly control the        aircraft;    -   (f) the monitoring of video from on-board aircraft 100        indicating that the pilot is not able to properly control the        aircraft;    -   (g) direct visual observation of aircraft 100 by persons aboard        a nearby aircraft;    -   (h) the request of the pilot of the aircraft 100, or of any        designated person or persons aboard the aircraft;    -   (i) a PITO that was issued in a manner that does not exactly        meet the pre-established PITO technique, code, word or action;    -   (j) information from other sources of information (e.g. military        information, news media, or individual persons other than the        pilot and designated aircraft crew) that aircraft 100 is the        subject of a hijacking or terrorist action; and/or    -   (k) combinations of two or more of (a) through (j), immediately        above.

In one embodiment of the invention, any PITO command would have to befollowed by a confirmatory action by a person in the TRCC or ARCC inorder to cause MAC 200 to go from MAC State 1 to MAC State 2. In thiscase, the decision of a TRCC or ARCC person to take control could bebased on:

-   -   (a) the PITO itself (e.g. whether it was initiated in exactly        the proper manner);    -   (b) any one or more of the RITO criteria (a) through (j), above;        or    -   (c) a combination of PITO and RITO criteria.

RITO is initiated after personnel in a terrestrial remote control centermake a decision to take control over aircraft 100. These personnel sendan encrypted command (see below, FIG. 17 discussion) from the TRCCcausing the Master Aircraft Control 200 aboard aircraft 100 to enter MACState 2. Alternatively, personnel in a TRCC may decide to cause anintercepting aircraft 114 containing an airborne remote control center(FIGS. 9A, 9B) to fly to the vicinity of aircraft 100. Once there,personnel in the ARCC may, if appropriate, send an encrypted commandcausing MAC 200 to enter MAC State 2.

6.1.1.1.3 Other Transitions from MAC State 1

There are two classes of other circumstances in which transitions fromMAC State 1 may occur: (a) following entry into MAC State 2, and (b)during the course of an ordinary, non-remote controlled flight.

As discussed below, in Section 6.1.1.2.2, MAC State 1 may be enteredafter MAC State 2, in the highly unlikely situation of a dual failure ofboth the remote control communication system and the autopilot.Following restoration of the function of either one of the remotecontrol communication system or the autopilot, a transition from MACState 1 to either MAC State 2 (if the communication system is restored)or MAC State 3 (if the autopilot but not the communication system isrestored) may occur.

During the course of an ordinary non-remote controlled flight, the pilotwill normally have occasion to use the autopilot. In such a situation, apilot-initiated transition from MAC State 1 to MAC State 3 would occur.The pilot could, at any time after this, cause the MAC 200 to return toMAC State 1. Immediately following landing of the aircraft during anordinary flight, a transition to MAC State 4 occurs (see below, Sections6.1.1.3 and 6.1.1.4).

6.1.1.2 Transitions from MAC State 2

Entry into MAC State 2 is generally from MAC State 1, as discussedabove. It may be entered from MAC State 3, after remote controlcommunication is re-established after an interruption. MAC State 2 maynot ordinarily be entered from MAC State 4.

Once MAC State 2 is entered, there are three possible MAC Statetransitions.

6.1.1.2.1 Transition from MAC State 2 to MAC State 3

In the event of a failure of or interruption of the communicationssystem(s) which supports the remote control of aircraft 100, MAC 200would enter MAC State 3 (control of the aircraft by autopilot) in orderto maintain control of the aircraft. Hereinafter and hereinbefore,autopilot refers to the control of each of the systems which controlsthe flight of the aircraft. If communication is interrupted and thenrestored, MAC 200 re-enters MAC State 2. A continuous or semi-continuoushandshaking process between the communication system aboard aircraft 100and the communication system of the TRCC or ARCC is used to detect apossible break in and restoration of communications (discussed below).

In the event of a high incidence of transitions between MAC State 2 andMAC State 3 (referred to below as “hunting”), the system may (as anoptional design feature) enter MAC State 3 for a more prolonged periodof time, i.e. until the intermittent communications interruption problemis better remedied. Alternatively, personnel in the RCC could, uponobserving frequent breaks in the handshaking process, make the decisionto send a “SET MAC STATE=3” command (See Section 6.2.2.2.2.2).

6.1.1.2.2 Transition from MAC State 2 to MAC State 1, an Optional SystemFeature

During the course of a remote controlled flight, in the event of (a)failure of the autopilot, followed by (b) intermittent failure orinterruption of the communications system(s) which supports the remotecontrol of aircraft 100, MAC 200 could re-enter MAC State 1 uponreceiving a command to do so from the remote control center. This is anoptional design feature of the invention. The logic behind this MACState transition format is that in such a situation (i.e. intermittentfailure of communication with the RCC and failure of the autopilot),even though a transition to MAC State 1 might return control of anaircraft to a terrorist or hijacker, not making the transition to MACState 1 might mean near certain crash of aircraft 100 because ofinability of either the RCC or the autopilot to properly control it.Other situations in which a RCC command to change the MAC state from 2to 1 could be appropriately issued are discussed below in Section6.2.2.2.2.2.

Embodiments of the invention are possible in which the aforementioneddual failure does not cause a transition to MAC State 1 (see Section6.2.2.2.3(e)). Embodiments of the invention are possible in whichfailure of the autopilot, accompanied by complete communications failurebetween the RCC and the pilot, results in an automatic transition to MACState 1 (see Section 6.2.2.2.3(f)).

If, after a transition from MAC State 2 to MAC State 1, either thecommunication system or the autopilot is restored, there are a number ofpossible outcomes discussed hereinbelow and in Section 6.2.2.2.3(f):

-   -   (a) If the function of the communication system is completely        restored, MAC State 2 could be re-entered either by command of        the personnel in the remote control center (RITO), or the pilot        (PITO). In an alternative embodiment, the system could        automatically re-enter MAC State 2 in this circumstance.    -   (b) If the function of the autopilot is restored and the        communication system is not operative, the pilot could cause a        transition to MAC State 3 by sending a PITO command. (The        algorithm shown in FIG. 10C and described below in Section 6.2.2        would operate in this manner.)    -   (c) If the function of the autopilot is restored and the        communication system is intermittently operating, the RCC        personnel may send a SET MAC=3 command.

In a preferred embodiment of the invention, once the system is in MACState 2, it could only return to MAC State 1 (i) if both communicationwith the RCC and the backup autopilot failed, or (ii) post landing.However, alternative embodiments might allow a MAC State 2 to MAC State1 transition under other circumstances initiated by either (i) thepilot/crew (upon the proper issuing of the appropriate password(s)),(ii) the RCC personnel, or (iii) both.

6.1.1.2.3 Transition from MAC State 2 to MAC State 4

Once aircraft 100 has landed, MAC 200 enters MAC State 4. Entry intothis state would be caused automatically, by sensors within aircraft.Once in MAC State 4, aircraft 100 could not be flown again until the MACsystem is reset; see Section 6.1.1.4, below. This restriction could beimposed by limiting or entirely stopping fuel flow to the engines once aminimal amount of post-landing taxiing is allowed for.

6.1.1.3 Transitions from MAC State 3

Transitions from MAC State 3 have already been discussed:

-   -   (a) to MAC State 1, during non-remote control aircraft        operation, see Section 6.1.1.1.3; and    -   (b) to MAC State 2 during remote control operation see Section        6.1.1.2.1.

A discussion of the circumstances and consequences of the transitionfrom MAC State 3 to MAC State 1 parallels the discussion of thetransition from MAC State 2 to MAC State 1, above, in Section 6.1.1.2.2.

During the course of a remote controlled flight, in the event of (a)intermittent failure or interruption of the communications system(s)which supports the remote control of aircraft 100, followed by (b)failure of the autopilot, MAC 200 could, as an optional design featureof the invention, re-enter MAC State 1 upon receiving a command to do sofrom the RCC. Other situations in which a remote control center commandto change the MAC state from 3 to 1 could be appropriately issued arediscussed below in Section 6.2.2.2.2.2.

Embodiments of the invention are possible in which the aforementioneddual failure does not cause a transition to MAC State 1. Embodiments ofthe invention are possible in which failure of the autopilot,accompanied by complete communications failure between the RCC and thepilot, results in an automatic transition to MAC State 1.

If, after a transition from MAC State 3 to MAC State 1, either thecommunication system or the autopilot is restored, there are a number ofpossible outcomes which are entirely parallel to those discussed inSection 6.1.1.2.2 above.

In a preferred embodiment of the invention, once the system is in MACState 3, it could only return to MAC State 1 (i) if both communicationwith the RCC and the backup autopilot failed, or (ii) post landing.However, alternative embodiments might allow a MAC State 3 to MAC State1 transition under other circumstances initiated by either (i) thepilot/crew (upon the proper issuing of the appropriate password(s)),(ii) the RCC personnel, or (iii) both.

If aircraft 100 lands while it is being controlled by the autopilot, theaircraft enters MAC State 4, in a manner similar to that describedimmediately above in Section 6.1.1.2.3.

6.1.1.4 Transitions from MAC State 4

Upon the landing of aircraft 100, MAC 200 enters MAC State 4, no matterwhich state MAC 200 was in prior to the landing.

Once in MAC State 4, the only transition possible is to MAC State 1, andthis occurs only if and when a new encryption key or keys is/are loadedonto the aircraft. Thus, once it lands, aircraft 100 can not fly againuntil such new encryption keys have been loaded.

6.2 Source of Master Aircraft Control State-Setting Inputs

The hardware from which the MAC state-setting inputs are derived isshown in FIG. 10A (the microprocessor), FIG. 10B (encryption key relatedhardware on aircraft 100) and FIG. 10D (PITO-related hardware andsoftware). FIG. 10C shows the flow diagram whose logic and operationsare performed by the microprocessor shown in FIG. 10A.

6.2.1 State-Setting Microprocessor, Its Inputs and Its Outputs

6.2.1.1 State Setting Microprocessor

FIG. 10A shows the state-setting microprocessor 230. The microprocessormay be one of many types that is known in the art. It performs thefollowing functions:

-   -   (a) It provides the four state-setting inputs (210A-D) to the        Master Aircraft Control 200. The choice among these four is        determined by the logic embodied in FIG. 10C, which is executed        by the microprocessor.    -   (b) It runs PITO verification software 227A and 227B, shown in        FIG. 10D and described below in Section 6.2.1.2.1.    -   (c) It runs the anti-hunting algorithm, described below in        Section 6.2.2.2.1.4.        6.2.1.2 State Setting Microprocessor Inputs

The nine inputs to microprocessor 230 include:

-   -   (a) signal 218, derived from the aircraft remote control        receiver (FIG. 11B), which carries the commands to change the        MAC State, including the RITO command “SET MAC=2”;    -   (b) signals 220A and 220B, derived from the aircraft remote        control receiver (hereinafter referred to as “aircraft        receiver”), which indicate that a received command either has        been properly encrypted (signal 220A) or has not been properly        encrypted (signal 220B). This analysis is an additional        protective measure against attempted access to the system by an        unauthorized transmission. In a preferred embodiment of the        invention, the reception of an improperly encrypted command to        change the MAC State (a) results in notification of the pilot,        and (b) does not result in the command being carried out. The        result of an improperly encrypted command after setting MAC        State=2, results in a transition to MAC State=3    -   (c) signal 222, derived from the aircraft receiver, which        indicates that the continuous handshaking process between the        aircraft remote control transmitters and receivers, and those of        the remote control center is intact.    -   (d) encryption key related-signals 224A-C:        -   (i) In the situation (corresponding to figure when the            encryption key is either locally generated or manually            loaded, an encryption key reading device 232 (shown in FIG.            10B) generates signal 224A (FIGS. 10A, 10B and 10C) which is            used to cause microprocessor 230 to generate a “SET MAC=1”            signal at its output 210A.        -   (ii) In the situation (corresponding to figure when the            encryption key is generated aboard the aircraft, an            encryption key generator 234 (shown in FIG. 10B) generates            signal 224B (FIGS. 10A, 10B and 10C) which is used to cause            microprocessor 230 to generate a “SET MAC=1” signal at its            output 210A.        -   (iii) In the situation (corresponding to FIG. 4) when the            encryption key is generated at the terrestrial remote            control center, a signal derived from the aircraft receiver            generates signal 224C (FIGS. 10A, 10C and 11B) which is used            to cause microprocessor 230 to generate a “SET MAC=1” signal            at its output 210A.    -   (e) PITO signal 226. This signal is generated by the means used        to generate the PITO command (shown in FIG. 10D and discussed        below in Section 6.2.1.2.1) including: (i) one or more        push-button presses, (ii) the voice of the pilot or authorized        person(s), or (iii) a sequence of alphanumeric keys; and    -   (f) landing sensor signal 228. This signal is generated when        aircraft 100 lands.        6.2.1.2.1 Source and Analysis of PITO Signals

FIG. 10D shows one embodiment of the source and analysis of PITOsignals. The figure has three components:

-   -   (a) three inputting arrangements, push-buttons 225A, microphones        225B (with their associated audio processing 225C) and keyboards        225D; One or more of these sources generate one or more PITO        signals 226;    -   (b) PITO signals 226; and    -   (c) Pilot Initiated Takeover Verification 238, which entails the        analysis of signals 226, using software which runs on        microprocessor 230. The software includes word and voice        recognition programs 227A and goodness of fit evaluation 227B.

As described in Section 6.1.1.1.1, one or more presses of push-buttons225A by one or more designated individuals may be used to cause averified PITO signal. A goodness of fit evaluation 227B may be used todetermine how precisely the push-button routine was executed. If asingle button press was required, there is no question about its properexecution. However, if multiple presses of one or more buttons arerequired, or if a specific timing of button presses is needed, thegoodness of fit evaluation indicates how the button pressing performancecompares to the ideal. This evaluation runs on microprocessor 230.Performance of the button pressing in a manner which meets the criteriaof the goodness of fit algorithm results in (a) output along line 239(which continues in FIG. 10C), and (b) signal 212, which activates theaircraft transmitter (FIG. 12).

Embodiments of the invention are possible in which one or moreconfirmation button presses is required. Embodiments of the inventionare possible in which (a) a proper performance of the button pressesresults in outputs 212 and 239; (b) grossly improper performance of thebutton presses results in no outputs at 212 and 239; and (c) marginal,i.e. nearly correct performance of the button presses requires someother action to cause outputs at 212 and 239. This other action mayinclude: (i) repeating the initial sequence of button presses, (ii)performing an entirely different sequence of button presses, or (iii)using one of the other inputting devices. Embodiments of the inventionare possible in which similar signals are generated by transducingdevices other than push-buttons, including slide switches, toggleswitches, microswitches, touch sensitive screens, heat sensitivedevices, charge-coupled devices and photocells, each of which is knownin the art.

One or more microphones 225B may serve as the PITO input transducer(s).They would be used to detect a key spoken word or sequence of words. Theword or words might have to be spoken by one or more persons, eithersimultaneously or at pre-arranged intervals. Audio processing equipment225C as is known in the art would be used to amplify, filter, anddigitize the signals from microphones 225B. Word and voice recognitionprograms 227A, as are known in the art, would provide outputs whichindicate (a) how good the match is for each particular word, (b) howgood the match is for the proper sequence and timing of words, and (c)how good the match is for the expected person's voice which speaks eachword. These items of information concerning exactitude of audio fit,would be evaluated by goodness of fit evaluation 227B, as to overallacceptability, resulting in a yes/no decision.

Embodiments of the invention are possible in which one or moreconfirmation spoken words is required. Embodiments of the invention arepossible in which a not-quite-correct audio input requires confirmationby either (a) a repeat, (b) the speaking of other words by either thesame or by other persons, or (c) the use of another inputting device.

Embodiments of the invention in which the word and voice recognitionsoftware, and/or the goodness of fit software run on separatemicroprocessors from 230 are possible.

One or more keyboards, 225D may be used as the source of the PITOsignal. The signal may consist of the inputting of one or more sequencesof alphanumeric characters from one or more keyboards. The inputs mayneed to be simultaneous, sequential, or a mixture: e.g. word #1 may needto be inputted from Keyboard #1 simultaneous with the inputting of word#2 from Keyboard #2, after which word #3 may need to be inputted fromKeyboard #1, after which word #4 may need to be inputted from Keyboard#2. In this case, the output signals from the keyboard(s) constitutesthe PITO signals 226. The goodness of fit algorithm 227B evaluates thesignals for accuracy of content and timing. Its output may utilize ayes/no format, or a yes/no/additional-confirmation-required format, asdiscussed previously. The additional confirmation may consist ofalphanumeric input(s) or inputs from another modality. Alternatively,additional confirmation may be required even in the event of a correctlyinputted sequence of characters.

Modalities other than push-button, audio and keyboard may be used asinput devices. Video inputs could include an assessment of pilot actionor of pilot identification, including imaging of the iris, retina orfingerprint(s). Detectors of smoke, fire or noxious vapor could alsoserve as an input.

Combinations of input modalities may also be utilized. For example, thePITO command could be issued when one designated person inputs asequence of alphanumeric characters while another designated person atanother location speaks a sequence of words.

6.2.1.3 State Setting Microprocessor Outputs

Referring again to FIG. 10A, the seven outputs of microprocessor 230include four signals (210A-D) which serve as the state-setting inputs tothe MAC, and three signals (PITO verification 212, pilot message 214 andanti-hunting algorithm signal 216) which indicate whether commands arereliable. These are:

-   -   (a) four signals 210A-D which serve as the state-setting inputs        to the Master Aircraft Control 200 (shown in FIG. 13);    -   (b) PITO verification signal 212. In an embodiment of the        invention, this signal may be generated after the PITO command        has been verified (i.e. that (i) it is the voice of the pilot or        designated person(s), or (ii) the proper sequence of buttons or        alphanumeric keys has been pressed, etc.). The signal is used to        enable the aircraft remote control transmitter (see discussion        of FIG. 12, below).    -   (c) pilot message signal 214, indicating that a received command        to Set the MAC equal to either 2, 3 or 4 was improperly        encrypted. This might be an indication that (i) during a        routine, non-remote controlled flight, an unauthorized person        was attempting to take control of the flight; or (ii) during a        remote controlled flight, an unauthorized person was attempting        to interfere with the control by the terrestrial or airborne        remote control center. The signal is used to notify the pilot.    -   (d) anti-hunting algorithm signal 216, from an algorithm,        described above (in Section 6.1.1.2.1) and below (in Section        6.2.2.2.1.4). In a preferred embodiment of the invention, the        algorithm (i) indicates the frequency of transitions (if any)        between MAC State 2 and MAC State 3 and (ii) in the event of        frequent transitions (which circumstance is presumed to indicate        a poor communications link or an unauthorized person attempting        to access the link) causes a transition to MAC State 3 until the        aforementioned problem is overcome. Signal 216 is supplied to        the aircraft remote control transmitter (hereinafter referred to        as “aircraft transmitter”) after proper processing (see        discussion of FIG. 12, below).        6.2.2 State-Setting Flow Diagram

FIG. 10C shows the flow diagram whose logic determines the state-settinginput to the Master Aircraft Control.

6.2.2.1 Sequence Which Results in MAC State 1.

Pre-flight encryption key loading, by any of the three previouslydiscussed routes, results in the generation of a “SET MAC=1” command,indicated by box 236A. This command results in the MAC switching fromits post-landing state, MAC State 4, to MAC State 1, in which takeoff isenabled.

The three ways in which pre-flight encryption key loading is indicatedare:

-   -   (a) signal 224A, indicating a local or manually loaded        pre-flight encryption key;    -   (b) signal 224B, indicating a pre-flight encryption key        generated onboard the aircraft; and    -   (c) signal 224C, indicating a pre-flight encryption key received        via the aircraft receiver.        6.2.2.2 Sequences Which Result in MAC State 2 or MAC State 3

There are two ways that a “SET MAC=2” command may be generated. Thefirst involves Pilot Initiated Takeover, or PITO. The second involvesRemote Initiated Takeover, or RITO, in which the aircraft receiving a“SET MAC=2” command.

The are five ways in which a “SET MAC=3” command may be generated:

-   -   (a) an intentional “SET MAC=3” command, sent from the remote        control center and verified;    -   (b) a RITO command which occurs in temporal proximity to        handshake interruption (Handshake is discussed below in Section        6.2.2.2.1.2.);    -   (c) a PITO command which occurs in temporal proximity to        handshake interruption;    -   (d) a PITO command which occurs in temporal proximity to a        command encryption error; and    -   (e) a pilot selection during ordinary, non-remote-controlled        flight.        6.2.2.2.1 PITO

The PITO signal, intended to set the MAC to State 2, will do so if thefollowing conditions are met:

-   -   (a) The PITO signal must be verified (Sections 6.2.1.2.1 and        6.2.2.2.1.1);    -   (b) A proper handshaking routine between the aircraft 100 and        the RCC must be initiated and maintained (Section 6.2.2.2.1.2);    -   (c) Each later command (involving aircraft control) must be        properly encrypted (Section 6.2.2.2.1.3); and    -   (d) The reliability of the communications link must be confirmed        (Section 6.2.2.2.1.4).

Performance failure during either of (b), (c) or (d), above, results inMAC State 3.

6.2.2.2.1.1 PITO Verification

PITO signals 226, are verified for correctness of source and content.Block 238 of FIG. 10C indicates the verification process which isperformed by word and voice recognition programs 227A and goodness offit evaluation 227B, and is discussed above in Section 6.2.1.2.1 andshown in FIG. 10D.

6.2.2.2.1.2 Handshaking Routine, Pentagon Nomenclature, Backup Autopilotin the Event of Handshake Interruption

The following events occur after the PITO command has been verified.

-   -   (a) First, signal 212 is sent to the aircraft transmitter        (FIG. 12) to enable its function.    -   (b) Next, a handshaking routine is initiated which involves the        continuous confirmation that the aircraft transmitter signal has        been received by the RCC receiver (FIG. 16) and that the RCC        transmitter signal has been received by the aircraft receiver        (FIG. 11B). The result is a source of repetitive handshake        confirmation signals 222 supplied from the aircraft receiver        (FIG. 11B) to microprocessor 230 (FIG. 10A), which continues as        long as the handshaking routine between the remote control        center and the controlled aircraft is uninterrupted.    -   (c) Pentagon 240 in FIG. 10C is a decision point. Pentagons have        been used in FIGS. 10C, 11C, 16C, and 20B at decision points        that involve the use of “outside information.” They correspond        to the statement: “After event α (corresponding to the upper        middle vertex of the pentagon), go to path β (corresponding to        the lower left vertex) if outside information of one type is        present, but go to path γ (corresponding to the lower right        vertex) if outside information of another type is present.” The        outside information which modulates the decision is symbolized        by arrows pointing to the upper left and/or upper right vertices        of the pentagon.

Thus pentagon 240, is interpreted as: After the PITO command is verified(line 239), if the aircraft-RCC handshake is intact, set MAC=2 (block242); but if the handshake is not intact, set MAC=3 (block 244). This ishow the autopilot (MAC=3) is selected as a backup during a possiblebreak in communications between aircraft 100 and the remote controlcenter. A break in communications would result in an interruptedhandshake, which, at pentagon 240, would result in a selection of theautopilot.

The other three inputs to the top middle vertex of pentagon 240 arediscussed below. Two of the three inputs provide a continuous repetitionof the aforementioned handshake verification. The third input allowsaccess to the handshake verification process in the event of RITO.

Returning to the discussion of pentagon 240, the outputs of pentagon240, blocks 242 (labeled MAC=2) and 244 (labeled MAC=3) representpreliminary rather than final decisions about MAC=2 versus MAC=3. Twofurther assessments, discussed below in Sections 6.2.2.2.1.3 and6.2.2.2.1.4 are required before the final decision between MAC=2 andMAC=3 is made.

6.2.2.2.1.3 Encryption Check, Repeat Cycling Through Handshake Check andEncryption Check, Backup Autopilot in the Event of Encryption Error

In an advantageous embodiment of the invention, the third requirementfor setting MAC=2 is that there is a proper encryption of the lastcommand.

Therefore, after block 242 (indicating intact handshake), the assessmentproceeds to pentagon 246, which assesses whether the last command wasproperly encrypted. The assessment is based on inputs 220A and 220B,from the aircraft receiver. The encryption assessment (shown in FIG.11C) is based on the most updated version of the encryption key. Input220A would indicate correct encryption and would result in an outputfrom pentagon 246 to block 248A; Input 220B would indicate incorrectencryption and would result in output from pentagon 246 to block 244.

Since the first command in the activation sequence currently discussedis the already verified PITO command, it will, of necessity be properlyencrypted. However, later commands involving control of the aircraftsystems may or may not be properly encrypted. Thus, although the firstassessment, after PITO, at pentagon 246 was trivial, later assessmentsare not.

Block 248A, reached when command encryption is proper, results in ashort (e.g. one second) delay, after which two events occur: (a) thechecking cycle begins again, with repeat performance of the handshakecheck (indicated by line 250 to pentagon 240), and informationsupporting the setting of MAC=2 is sent to anti-hunting algorithm 252,which is discussed in the next Section.

There are two inputs to block 244, the preliminary to setting MAC=3. Thefirst, is the “NO” output of pentagon 240, indicating an interruption inor failure to establish the handshake. The second, is the “NO” output ofpentagon 246, indicating improper encryption of the last command. Block244 outputs to block 248B, which introduces a short (e.g. one second)delay after which two events occur: (a) the checking cycle begins again,with repeat performance of the handshake check (indicated by line 252 topentagon 240), and information supporting the setting of MAC=3 is sentto anti-hunting algorithm 252.

6.2.2.2.1.4 Final Decision to “SET MAC=2” versus “SET MAC=3”: TheAnti-Hunting Algorithm

The anti-hunting algorithm analyzes the outputs of blocks 248A and 248B,as the final step in the decision, MAC=2 versus MAC=3. If only block248A is outputting, indicating that each handshake check reveals anintact handshake, and each encryption check reveals proper encryption,then the algorithm signals block 236B, resulting in signal output 210Bto the Master Aircraft Control, resulting in MAC State 2. If, on theother hand, only block 248B is outputting, indicating either handshakeproblems, encryption problems, or a mixture of the two problems, thenthe algorithm signals block 236C, resulting in signal output 210C to theMaster Aircraft Control, resulting in MAC State 3.

If there is a mixture of outputs from both blocks 248A and 248B, theanti-hunting algorithm allows for smoothing of the response. Forexample, the anti-hunting algorithm could be programmed to preventmomentarily switching to and from the autopilot if a communicationproblem between the terrestrial remote control center and the controlledaircraft results in the failure of one out of every twenty handshakes.In this circumstance, it would select MAC State 2. The algorithm couldbe programmed to deal with a high fraction (e.g. 50%) of handshakefailures, by selecting MAC=3.

There are a limitless number of possible anti-hunting algorithms. Amongthe types of algorithm format are:

-   -   (a) a smoothing algorithm which involves:        -   (i) looking at a moving “window” (e.g. the last 20 events)            of the outputs of blocks 248A and 248B;        -   (ii) assigning the value 1 to 248A events and 0 to 248B            events, and averaging the last 20 events; and        -   (iii) setting MAC=2 when the moving average exceeds a given            value (e.g. 0.8) and otherwise setting MAC=3 (e.g. when the            moving average is less than or equal to 0.8);    -   (b) a smoothing algorithm similar to that described in (a),        above, but in which the most recent events receive greater        arithmetic emphasis, in the calculation of the moving average;    -   (c) algorithms in which even a single input or a small number of        inputs from block 248B results in a major bias to set MAC=3;        e.g.,        -   (i) an algorithm in which a single input or a small number            of inputs from 248B sets MAC=3 until aircraft 100 is near an            intercepting aircraft 114 or an airfield;        -   (ii) an algorithm in which a single input or a small number            of inputs from 248B sets MAC=3 for a fixed period of time;            and        -   (iii) an algorithm in which a single input or a small number            of inputs from 248B sets MAC=3 until a given (large) number            of consecutive 248A outputs occurs.

Referring again to FIG. 10C, the anti-hunting algorithm output, besidescausing SET MAC=2 and SET MAC=3 signals, also produces signal 216.Signal 216, supplied to the aircraft transmitter, provides informationto the RCC about the status of the algorithm. Such information mayinclude one or more of:

-   -   (i) the input to the algorithm, i.e. the series of 0's and 1's        described in (a)(ii) above;    -   (ii) the moving average of the 0's and 1's of the algorithm        described in (a)(iii) above; and    -   (iii) the output of the algorithm, i.e. the series of SET MAC=2        and SET MAC=3 commands.        6.2.2.2.2 Remote Initiated MAC State Commands

A remote-initiated change of MAC State is initiated when anappropriately encoded and encrypted signal is sent from either aterrestrial or airborne remote control center. The signal is received bythe aircraft receiver, FIG. 11B, and sent to microprocessor 230 assignal 218. The signal may call for setting MAC 200 to either MAC State1, MAC State 2 or MAC State 3. The command to set the MAC to State 2,enabling remote control of the aircraft, is the RITO command.

6.2.2.2.2.1 RITO

A Remote Initiated Takeover, or RITO is initiated when an appropriatelyencoded and encrypted “SET MAC=2” signal is sent from either aterrestrial or airborne RCC. The signal is received by the aircraftreceiver, FIG. 11B, and sent to microprocessor 230 as signal 218.

In flow diagram 10C, signal 218 leads to block 254, with two results:(a) signal 212 is sent, which enables the aircraft transmitter; and (b)pentagon 256 checks whether the RITO command was properly encrypted. Aswas the case with the aforementioned PITO command, signal 220A indicatesthat the RITO command is properly encrypted while signal 220B indicatesthat it is not.

If the command was not properly encrypted, it is assumed to be anindication of a possible attempt by an unauthorized person to assumecontrol of the aircraft, and the pilot is therefore notified by outputsignal 214. If the command was properly encrypted, it is then routedappropriately, as indicated by block 258.

Block 258 directs the RITO command, “SET MAC=2,” to pentagon 240 wherethe sequences of events in the above sections 6.2.2.2.1.2, 6.2.2.2.1.3and 6.2.2.2.1.4 occur and then repeat, as was discussed.

6.2.2.2.2.2 Remote Commands to Set MAC=3 or MAC=1

There are certain situations where the personnel in the RCC may haveoccasion to set the Master Aircraft Control to a State other than 2.

If there are communications interruptions or problems, in which neitherthe anti-hunting algorithm nor the encryption verification system causesthe MAC to enter State 3, or cause the MAC to enter State 3intermittently, the RCC personnel may decide to induce a more prolongedentry to MAC State 3. Another indication for inducing MAC State 3 wouldbe if the remote control center personnel become aware of attempts tointerfere with or jam communications between the RCC and the aircraft.

The RCC personnel would accomplish this by sending a command to “SETMAC=3.” The command would be initially routed along the same path as theaforementioned “SET MAC=2” command. It would leave the aircraft receiveras signal 218 and go to the microprocessor 230 (FIG. 10A), whose actionsare depicted in the flow diagram of FIG. 10C. As indicated in FIG. 10,after passing block 254 and pentagon 256 (as long as there isappropriate command encryption), it would be routed by block 258 toblock 236C, resulting in a “SET MAC=3” command being sent, as signal210C, to MAC 200 (FIG. 13).

As mentioned above, there are occasions in which the RCC might elect tosend a “SET MAC=1” command:

-   -   (a) if a terrorist or hijacking action was thwarted by the crew        of the aircraft;    -   (b) if what was believed to be an appropriate RITO situation, in        which a RITO command was executed, turned out not to be such a        situation;    -   (c) if what was believed to be an appropriate PITO situation, in        which a PITO command was executed, turned out not to be such a        situation (Note that a PITO command can not be rescinded from        aboard the aircraft.);    -   (d) during any short period of time when the judgment and flying        skills of an on-board pilot might exceed those of remote control        center personnel; and    -   (e) if the autopilot was known to be malfunctioning, and        either (i) communications between the RCC were intermittent or        inadequate, or (ii) there was attempted interference with        communication by an unauthorized person.

The RCC personnel would accomplish this by sending a command to “SETMAC=1.” The command would be initially routed along the same path as theaforementioned “SET MAC=2” command. It would leave the aircraft receiveras signal 218 and go to the microprocessor 230 (FIG. 10A), whose actionsare depicted in the flow diagram of FIG. 10C. As indicated in FIG. 10,after passing block 254 and pentagon 256 (as long as there isappropriate command encryption), it would be routed by block 258, tocircle 260, to block 236A, resulting in a “SET MAC=1” command beingsent, as signal 210A, to MAC 200 (FIG. 13).

A discussion of an alternate embodiment of the invention in which a SETMAC=1 command can not occur, and yet another alternate embodiment inwhich it can occur automatically appears below in Section 6.2.2.2.3(e)and (f).

6.2.2.2.3 Alternate Possible Flow Diagrams

The methodology described in Section 6.2.2 and its subsections reflectsa number of arbitrary inclusions and exclusions of certain designfeatures. There are also some possible variations in the conditionsunder which MAC State transitions may occur (i) by command from the RCC,(ii) automatically, and (iii) by command of the pilot. Operatingversions of the invention might include any one or more of the followingvariations, as well as others:

-   -   (a) omitting the anti-hunting algorithm entirely;    -   (b) “relocation” of the anti-hunting algorithm so that its        inputs are blocks 242 and 244, i.e. so that it smooths only        handshake related fluctuations, and not fluctuations related to        proper command encryption;    -   (c) having two different anti-hunting algorithms (with different        degrees of error toleration), one that deals with handshake        fluctuations and one that deals with encryption failures;    -   (d) omitting encryption confirmation entirely;    -   (e) changing the rules for allowable        remote-control-center-induced transitions among MAC states. For        example, FIG. 10C shows the possibility of a remote control        center induced transition from MAC State 2 to MAC State 1.        However, in an alternative embodiment of the invention, it would        be possible to forbid such a transition; and    -   (f) changing the conditions which automatically cause        transitions among MAC states. For example:        -   (i) referring to the MAC State 2 to MAC State 1 transition            discussed in (e) immediately above, another alternative            embodiment of the invention would be one in which this            transition occurs automatically (i.e. caused by logic            carried out by microprocessor 230, rather than being caused            by the RCC) in the event of failure of both RCC            communications and the autopilot; and        -   (ii) referring to the situation discussed in (i),            immediately above, if after the transition from MAC State 2            to MAC State 1, the function of the autopilot is restored            but the communication system is not restored, MAC State 3            may be entered automatically.            6.2.2.3 MAC State 4

Referring again to FIG. 10C, landing sensor signal 228 triggers theissuance of a post landing command. This results in the issuance of aSET MAC=4 command at block 236D, which is sent as signal 210D to theMaster Aircraft Control 200. Thereafter, the aircraft cannot take offuntil a new encryption key or keys is loaded, at which time MAC State 1is re-entered.

A mechanism to allow either remote- or pilot-induced transition to MACState 4 is not shown in FIG. 10C. Since MAC State 4 curtails fuel flowto the engines, allowing such a transition to be induced by anything butan actual landing places the aircraft in potential jeopardy of receivingan inappropriate SET MAC=4 command during flight.

6.3 Controlled Aircraft Receiver and Decoder

The aircraft communications equipment includes the receiver and itsassociated decryption and decoding circuitry, and the transmitter andits associated encryption and encoding circuitry. The receiver and itsassociated components is discussed first.

6.3.1 Aircraft Receiver

The functions of the aircraft receiver and its associated componentsinclude:

-   -   (a) receiving, decrypting and decoding control signals from the        RCC and distributing them to the appropriate destination,    -   (b) participating in a handshaking process involving the        aircraft transmitter and the RCC receiver and transmitter, and    -   (c) assessing the correctness of the encryption format for        incoming commands.

As shown in FIG. 11B, incoming signals through antenna 302 reachreceiver 300. There may be one or more antenna(e) for various types ofsignals. After appropriate signal demodulation and processing by meansthat are known in the art, encrypted control signals reach block 301.The signals 303 are distributed to two locations: (a) decryption anddecoding circuits, shown in FIG. 14, and (b) an encryption assessmentprocedure, which runs on microprocessor 330 (FIG. 11A) and whose logicis indicated by the flow diagram of FIG. 11C.

6.3.1.1 Decryption and Decoding of Signals Received by the Aircraft

As per the discussion in Section 2.1, “encryption key” is used,hereinabove and hereinbelow, interchangeably with “decryption key.” Onthe other hand, the isolated words such as “encrypted” and “decryption”retain their more narrow definitions as the opposites of “decrypted” and“encryption,” respectively.

FIG. 14 shows encrypted control signals 303, from the aircraft receiver,undergoing decryption at block 406. The decryption key (hereinafterreferred to as encryption key) is obtained from one of three sources, aspreviously discussed:

-   -   (a) from a locally or manually loaded key reading device 232        (FIG. 10B) which sends the encryption key as signals 224A to        block 402, which supplies the necessary encryption key to        decryption device 406;    -   (b) from an aircraft-based encryption key generator 234 (FIG.        10B) which sends the key as signals 224B to block 402, which        supplies the necessary encryption key to decryption device 406;        and    -   (c) from the aircraft receiver (further discussed below) as        signals 224C to block 404, which supplies the necessary        encryption key to decryption device 406. In this situation, an        initial encryption key must be supplied from a source other than        signals 224C from the aircraft receiver, i.e. either from        reading device 232 or from on-board generator 234, since the        receiver must have a first encryption key before it can decrypt        any signals obtained by its receiver—including those which        contain an encryption key. Two alternatives are these: (a) using        the encryption key from the previous flight of the aircraft,        until the new encryption key is loaded via the aircraft        receiver, or (b) the non-secure approach of receiving the        initial encryption key via the aircraft receiver in a        non-encrypted format.

The decrypted signals are supplied to decoder 400, which converts thecoded signals to aircraft control signals, each with a particulardestination and command.

One class of commands includes those used to control and maneuver theaircraft. These include commands which control the throttle for eachengine, the fuel mixture, the elevator, the rudder, the flaps, theailerons and the landing gear. The commands contain information whichallows precise control of and small changes in each of the controlleditems. This allows a “pilot” in the remote control center to fly theaircraft and to maintain control that is as precise as it would be foran on-board pilot. (The information made available to this RCC pilot,and used to fly the aircraft, is discussed below.) These commands, andthe ones discussed below are denoted in FIG. 14 by the large group ofun-numbered blocks emanating from the aircraft decoder 400.

Another class of commands controls interior aspects of the aircraft,e.g. the cabin and cockpit lights and temperature, and cabin pressure.

Each block may refer to the control of more than one parameter. Forexample, the block labeled “deploy oxygen masks” allows control of maskdeployment, control of the percentage of oxygen in the supplied gasmixture, and the flow rate of the mixture.

The blocks on the right side of FIG. 14 refer to the RCC pilot havingthe ability to control a series of cameras inside and outside of theaircraft. The blocks for camera orientation allow for pointing thecamera so that it spans a multi-dimensional viewing area. The blocks forcamera zoom/focus may also allow for the control of other cameraparameters such as contrast, brightness, frame rate, image stabilizationand other parameters as are known in the art. In the figure, the sixoutside cameras point forward, to the rear, right, left, up and down.The two inside cameras are for the cockpit and the cabin. Embodiments ofthe invention with other camera configurations are possible.

Embodiments of the invention with a larger or a smaller number ofcontrolled items are possible, as long as it is possible for the RCCpilot to control the aircraft.

Another class of commands is related to control of communicationsbetween the remote control center and the aircraft. These commands aresent from the decoder 400 to receiver router block 408, and then assignals 410 to the signal router 304 of FIG. 11B.

6.3.1.2 Aircraft Signal Router Output

Referring, now, to FIG. 11B, signal router 304 distributes six groups ofsignals:

-   -   (a) aircraft receiver control signals,    -   (b) aircraft transmitter control signals,    -   (c) signals to be stored in memory,    -   (d) handshake signals,    -   (e) commands to change the MAC State, and    -   (f) one or more encryption keys obtained via the aircraft        receiver.        6.3.1.2.1 Aircraft Receiver Control Signals

The aircraft receiver control signals 306, via receiver control circuits308, select or modify features and parameters of the aircraft receiver.These may control the frequency or frequencies that the receiver istuned to, the choice of receiver antenna and orientation of the antenna,the type of demodulation that occurs in the receiver, the gain andfiltering at various points within the receiver, and other receiverparameters.

Changing frequency and modulation within the course of a flight allowfurther means of encryption. For example, the RCC could send anencrypted command causing the aircraft receiver to switch to a specifiedfrequency at a specified instant. Alternatively, a timed series offrequency or other parameter changes could be loaded along with or aspart of the initial or any follow-up encryption key.

Receiver control circuits also allow for RCC-based adjustments in theaircraft receiver, in the event of a failed handshake (see below), or inthe event that RCC becomes aware that the RCC-to-aircraft communicationslink is sub-optimal. Receiver control circuits 308 may also allow theselection of one or more antennae, from a larger number of availablechoices.

More robust communication systems, ideal for maintaining the mostreliable remote controlled flight, will have one or more backupreceivers, in the event the primary receiver fails. Such additionalreceivers may be maintained in a standby mode or may be in a fullyoperational mode at all times, working in parallel to the primaryreceiver. In such an event, the output of each receiver would flow toblock 301 which would “consolidate” the respective outputs into a singlegroup of encrypted control signals. Each receiver would have its owncontrol circuits (analogous to block 308), controlled by individual setsof not-necessarily-identical receiver control signals flowing from block306.

6.3.1.2.2 Aircraft Transmitter Control Signals

The aircraft transmitter control signals 312 emerge from block 310 andare supplied to aircraft transmitter control unit 338 (FIG. 12, seebelow). These signals control aircraft transmitter parameters such asfrequency, choice of antenna, antenna orientation, power output,modulation, and gain and filtering at various points within thetransmitter circuits.

Changing the transmitter frequency and/or its modulation within thecourse of a flight allow further means of encryption. For example, theRCC could send an encrypted command causing the aircraft transmitter toswitch to a specified frequency at a specified instant. Alternatively, atimed series of frequency or other parameter changes could be loadedalong with or as part of the initial or any follow-up encryption key.

Transmitter control circuits also allow for RCC-based adjustments in theaircraft transmitter, in the event of a failed handshake (see below), orin the event that RCC becomes aware that the aircraft-to-RCCcommunications link is sub-optimal.

Transmitter control circuits 338 may also allow the selection of one ormore antennae, from a larger number of available choices.

6.3.1.2.3 Aircraft Memory

Signals from the signal router 304 to memory 314A may include a recordof all received signals, or only a selected subset of signals. (Theaircraft transmitter memory, 314B, is discussed below.)

6.3.1.2.4 Handshake Signals

The purpose of the handshake signals is to allow both the aircraft andthe RCC to become aware of a break in the communication between themimmediately. In the case of the aircraft, the logic shown in FIG. 10C issuch that a break in the handshake results in a switch to the autopilot.In the case of RCC, the break in handshake can be used to notify RCCpersonnel of the need to seek immediate communications alternatives.

The handshake block 316A and signals 222 of FIG. 11B are part of acircuit that includes, in the following sequence:

-   -   (a) aircraft transmitter handshake block 316B, FIG. 12;    -   (b) aircraft transmitter 332 and antenna 334, FIG. 12;    -   (c) RCC antenna 502 and receiver 500, FIG. 16B;    -   (d) encrypted RCC signal block 501 and signals 503, FIG. 16B;    -   (e) RCC decryption 606 and RCC decoder 600, FIG. 18    -   (f) RCC receiver router 608 and signals 610, FIG. 18;    -   (g) RCC signal router 504, RCC receiver handshake block 516A,        and signals 517;    -   (h) RCC transmitter handshake block 516B, FIG. 17;    -   (i) RCC transmitter 556 and antenna 558, FIG. 17;    -   (j) aircraft antenna 302 and receiver 300, FIG. 11B;    -   (k) encrypted aircraft signal block 301 and signals 303, FIG.        11B;    -   (l) aircraft decryption 406 and decoder 400; FIG. 14;    -   (m) aircraft receiver router 408 and signals 410, FIG. 14; and    -   (n) aircraft signal router 304, following which the handshake        “returns” to aircraft receiver handshake block 316A and the        cycle repeats.

As mentioned previously, the handshake process is continuouslymonitored. Handshake signals 222 from the aircraft receiver, FIG. 11B,are also sent to microprocessor 230 (FIG. 10A) which runs the logicshown in FIG. 10C. This logic includes pentagon 240 which shows themonitoring of whether the handshake is intact. As shown in FIG. 10C, abreak in the handshake initiates the process by which a “SET MAC=3”command 210C is sent to Master Aircraft Control 200 (FIG. 13).

6.3.1.2.4.1 Handshaking Routine with Communication Interruption Signal

The occurrence of a break in the handshake sequence of signals may bedetected by an interruption in the otherwise continuous repetition ofsignal 222. However, more sophisticated handshake assessment approachesmay be used. For example, if a handshake signal does not arrive at theexpected time at aircraft receiver handshake block 316A, a “RCCHANDSHAKE NOT RECEIVED BY AIRCRAFT” signal may be sent from 316A toaircraft transmitter handshake block 316B. Such a signal is moreinformative to the RCC than either (a) not having the aircraft send ahandshake signal (which then leaves the RCC uncertain about whether thebreak in communication was from RCC to aircraft or from aircraft to RCC)or (b) having the aircraft continue to send the same handshake signalthat it sends when communication is intact (which would leave the RCCuninformed that any break had occurred).

Receipt of such a signal by the RCC would, therefore, indicate a breakin communications in the RCC-to-aircraft component of the communicationsloop. Upon receipt of a “RCC HANDSHAKE NOT RECEIVED BY AIRCRAFT” signalat the RCC, RCC options would therefore include one or more of thefollowing:

-   -   (a) increasing the power of the RCC transmission;    -   (b) reassessing and, if necessary, readjusting the orientation        of the RCC antennae, or changing to a different antenna(e);    -   (c) increasing the transmission power of or adjusting the        antennae of any repeater units (either satellite or terrestrial)        which relay RCC transmissions to the aircraft;    -   (d) changing the route from RCC to aircraft (e.g. using        geographically different repeater units, or switching from a        satellite-based repeater unit to a terrestrial one;    -   (e) dispatching an airborne unit to serve as either the RCC        (FIGS. 9A and 9B) or as a repeater unit (FIGS. 9C and 9D);    -   (f) changing the frequency of the transmission from the RCC and,        if necessary, sending a signal to the controlled aircraft        indicating the frequency shift (This may not be necessary, since        the aircraft receivers may be “listening” to a number of        frequencies simultaneously; the frequency change may involve one        or more of the links from the RCC to the aircraft.);    -   (g) changing the modulation of the transmitted signal and        sending a signal to change the demodulation at the receiving        end; and    -   (h) sending a signal or signals to the aircraft so as to (i)        increase aircraft receiver sensitivity, (ii) change filtering or        other receiver parameters, (iii) change receiver antenna or        antennae orientation, or (iv) change receivers. (These could        only be effective after momentary re-establishment of the        RCC-to-aircraft component of communications.)

Again referring to the handshaking system which uses the “RCC HANDSHAKENOT RECEIVED BY AIRCRAFT” signal: In the event of an interruption in thehandshake signals received at the RCC, i.e. a complete absence of ahandshake signals, it suggests that the break in communications is inthe aircraft-to-RCC component. Although this absence of handshake signalat the RCC does not rule out a two-way communication failure,simultaneous loss of both communication components is less likely thanthe loss of just the aircraft to RCC component. It therefore isreasonable to direct remedies at curing this fault. Such remediesinclude:

-   -   (a) sending an RCC signal to the aircraft to increase aircraft        transmitter power;    -   (b) readjusting the orientation of the aircraft or the RCC        antenna or changing to a different antenna at either end;    -   (c) increasing the transmission power of or adjusting the        antennae of any repeater units (either satellite or terrestrial)        which relay aircraft transmissions to the RCC;    -   (d) changing the route from aircraft to RCC (e.g. using        geographically different repeater units, or switching from a        satellite-based repeater unit to a terrestrial one);    -   (e) dispatching an airborne unit to serve as either the RCC or        as a repeater unit;    -   (f) changing the frequency of the transmission from the        aircraft. Alternatively, the frequency change may involve one or        more of the links from the aircraft to the RCC;    -   (g) changing the modulation of the signal transmitted by the        aircraft;    -   (h) changing aircraft transmitter; and    -   (i) adjusting RCC receiver parameters including (i) increasing        receiver sensitivity, (ii) changing receiver filtering or other        selectivity or noise rejection parameters.

If remedies which address an inoperative aircraft-to-RCC component failto cure the problem, the possibility of a two-way loss is increased andremedies which address an inoperative RCC-to-aircraft component of thehandshake, discussed previously, may be attempted. Alternatively, inthis situation, it would be possible to simultaneously address apotential break in each of the communication components, e.g. bysimultaneously increasing the transmitted RCC signal strength andincreasing the RCC receiver sensitivity.

6.3.1.2.4.2 Handshaking Routines of Still Greater Complexity

Handshaking systems of greater complexity are possible. For example,upon failing to receive an RCC handshake signal, the aircraft systemcould be set up to start changing some of the aircraft receiverparameters. Care must be taken to avoid a situation in which aircraftbased (automatic) efforts do not nullify RCC efforts. Two ways to avoidsuch nullification are: (a) restricting aircraft changes to parameterswhich are unlikely to nullify RCC efforts, and (b) having a previouslyagreed upon sequence of timed changes, so that, for example, as the RCCtransmitter changes frequency, the aircraft receiver would switch to anidentical one. The aforementioned previous agreed upon sequence could becontained in the encryption key and on one or more of the follow-upencryption keys.

Another complex handshaking feature would be the execution of a distincthandshake between each component of a multi-link repeater network,rather than having a single handshake involving only the end units.Troubleshooting between adjacent repeater units could be automatic, witha format similar to that discussed for the aircraft-RCC pair. Additionalassessment of the failed link could be made from either the aircraft orthe RCC end of the communication chain.

6.3.1.2.5 Commands to Change the MAC State

The Remote Initiated Takeover Command (RITO) and other commands sentfrom a remote control center to the aircraft to change MAC State, e.g.“SET MAC=3,” or “SET MAC=1” flow from signal router 304 (FIG. 11B)through block 318 and, as signal 218, are sent to the microprocessor 230(FIG. 10A), which, under appropriate conditions, signals MAC 200 (FIG.13), thereby executing a change of MAC state. The conditions for theexecution of the change in MAC state, are shown schematically in FIG.10C and discussed above. These conditions include the proper encryptionof the command, which is discussed below in the context of FIGS. 11A and11C.

6.3.1.2.6 One or More Encryption Keys Obtained via the AircraftReceiver.

As indicated above, one of three ways in which an encryption key isloaded onto the aircraft is through the aircraft receiver. As discussedin Section 6.3.1.1, certain conditions must be considered if the firstencryption key of a flight is loaded via the aircraft receiver.

The received encryption key flows from signal router 304 to block 324Cfrom where it is made available as signals 224C to:

-   -   (a) microprocessor 230 (FIG. 10A) and the MAC state-setting        logic which runs on it (FIG. 10C);    -   (b) microprocessor 330 (FIG. 11A) and the command encryption        assessment logic which runs on it (FIG. 11C);    -   (c) the aircraft transmitter (FIG. 12);    -   (d) the aircraft decryption and decoding circuits (FIG. 14); and    -   (e) the aircraft encryption and encoding circuits (FIG. 15).        6.3.1.3 Aircraft Receiver Command Encryption Assessment

As a means of further protecting the aircraft against control by anunauthorized person, each command that it receives is “inspected” forproper encryption formatting. The flow diagram which shows the logic forthis assessment is shown in FIG. 11C. The microprocessor on which itruns is shown in FIG. 11A.

The aforementioned pentagon symbol, used previously in FIG. 10C (seeSection 6.2.2.2.1.2), is the format for the current assessment. Pentagon325 of FIG. 11C makes the statement: “Using the information supplied bythe encryption key(s), if the command 303 under assessment is encryptedproperly, go to block 326A; but go to block 326B if the command is notproperly encrypted.”

Each encrypted command 303 (coming from the aircraft receiver in FIG.11B) is sampled as described immediately above. The standard for propercommand formatting is supplied by the encryption key or keys from any ofthe three previously discussed sources:

-   -   (a) the reading device for local or manually loaded keys 232        (FIG. 10B) whose information 224A is supplied to pentagon 325        via block 324A;    -   (b) the aircraft-based encryption key generator 234 (FIG. 10B)        whose information 224B is supplied to pentagon 325 via block        324B; and    -   (c) the aircraft receiver, via signal router 304 (FIG. 11B)        whose information 224C is supplied to pentagon 325 via block        324C (of FIG. 11B).

A properly encrypted command leads to block 326A and signal 220A. Thisindicator of proper encryption format is used as an input to twopentagons in the flow diagram 10C, which determine (a) whether anRCC-based command to change MAC state (including the Remote InitiatedTakeover Command) is to be accepted (pentagon 256), and (b) once thecontrol of a flight has been taken away from the aircraft pilot, whetherthe ongoing stream of commands is encrypted well enough to maintain MACState 2 with RCC control of the flight (pentagon 246). Proper encryptionsignal 220A results in (a) acceptance of a RCC command to change MACstate (pentagon 256), and (b) in a bias to MAC State 2 (pentagon 246).

An improperly encrypted command leads to block 326B and signal 220B.Improper encryption signal 220B results (a) in rejection of a RCCcommand to change MAC state, and a pilot notification signal (pentagon256), and (b) in a bias to MAC State 3 (pentagon 246). Block 326B alsocauses signal 328 to (a) enable the aircraft transmitter (if it is notalready enabled) and (b) transmit an “IMPROPERLY ENCRYPTED COMMANDRECEIVED” message (FIG. 12) after encoding (block 346) and encryption(block 348). The signal is received by the RCC (signal 536, FIGS. 16A,16B and 16C) with one of two results:

-   -   (a) If the aircraft is then controlled by the aircraft pilot,        the improper command is considered to indicate the possibility        of an attempt by an unauthorized person to begin remote control        of the aircraft. The system sends a message which would likely        appear on a screen or be spoken) to Air Traffic Control, and/or        the RCC personnel to notify the aircraft pilot and security        personnel. In one embodiment of the invention, the RCC personnel        would have the option of setting MAC=1 for a prolonged period of        time, until the source of the inappropriate command could be        investigated.    -   (b) If the aircraft is then controlled by the RCC pilot, the        improper command is considered to indicate the possibility of an        attempt by an unauthorized person to take control of the        aircraft away from the RCC. The system would then send a message        to the RCC personnel to consider transmitting a “SET MAC=3”        command (autopilot control of the aircraft), in order to secure        the control of the aircraft. To prevent competition between (i)        an unauthorized person trying to gain access to the remote        control function, and (ii) the RCC, the system would, in one        embodiment of the invention allow the RCC to set MAC=3 for a        prolonged period of time. Once the “SET MAC=3” command is        accepted, the aircraft logic could lock out any subsequent        commands until either:    -   (i) a fixed period of time goes by (during which the source and        nature of the unauthorized signal may be investigated);    -   (ii) an interceptor aircraft could be scrambled, which would        allow control of aircraft 100 from a very short distance (as in        FIG. 9A). This would allow the use of very low gain        amplification in the aircraft receiver and very highly        directional means for communication between the interceptor        aircraft and the controlled aircraft, both of which would        increase the likelihood of rejection of signals originating far        from the aircraft; or    -   (iii) further communication security measures are taken        including additional or alternate encryption means, and/or        changes in one or more parameters of the communication format.

The assessment of proper encryption format could include one or more of:

-   -   (a) checking that the command length is the proper number of        characters;    -   (b) determining if certain mathematical operations using one or        more characters within a command (e.g. a checksum) yields the        correct results;    -   (c) determining if certain obligate alphanumeric patterns appear        within the commands;    -   (d) determining if the time interval between characters fits the        expected format; and    -   (e) other encryption verification procedures as are known in the        art.

The encryption evaluation as shown in FIG. 11C and discussed above isperformed by the microprocessor 330 shown in FIG. 11A. Themicroprocessor may be one of many types that is known in the art. Itsinputs include signals 224A, 224B and 224C from each of the threepossible encryption key sources, and signals 303, the encrypted commandsto be assessed for proper formatting. Its outputs include signals 220A(correct encryption) and 220B (incorrect encryption), which are inputsto the MAC state-setting microprocessor 230 (FIG. 10A) and signal 328which causes the aircraft transmitter to send a signal indicating thedetection of an improperly encrypted command aboard aircraft 100.

6.4 Controlled Aircraft Encoder and Transmitter

In order for a remote pilot to properly control aircraft 100, all or asmuch as possible of the information available to the aircraft pilot mustbe made available to the remote pilot.

FIG. 15 illustrates some of the most important aircraft data to be sent,and the means for encoding and encrypting the information. Theinformation to be sent includes:

-   -   (a) detailed information about the position and velocity of the        aircraft, including G.P.S. information, altimeter reading,        airspeed, vertical speed, and information about the orientation        of the aircraft;    -   (b) video information from each of the previously discussed        inside and outside cameras;    -   (c) information about each of the aircraft engines, including,        for example, throttle position, fuel flow, turbine speed, fan        speed, oil temperature and oil pressure;    -   (d) the amount of fuel remaining in each tank;    -   (e) the actual positions of key controlling elements including        the elevator, the rudder, the flaps, the ailerons and the        landing gear; and    -   (f) audio information from within the cabin and the cockpit.

With the exception, perhaps, of the video information, this informationis available on existing commercial aircraft and supplied on acontinuous basis to the aircraft flight recorder.

The signals representing each of the aforementioned are encoded byaircraft encoder 410. The encoded signals are then encrypted byencrypting unit 418. Block 418 has inputs from both the encoder and eachof the possible aforementioned encryption key sources. The manual/localloading, and the aircraft-generated sources, both shown in FIG. 10B,provide inputs 224A and 224B to block 412, which inputs the encryptionkey to encrypting unit 418. An encryption key received via the aircraftreceiver provides input 224C to block 414, which also inputs encryptingunit 418. The output of the encrypting unit, encrypted aircraft data 416is sent as signals 342, via block 343 which supplies the aircraft memory314B with transmitted information, to the aircraft transmitter 332, asshown in FIG. 12.

An additional group of six inputs destined for the aircraft transmitterand related to MAC State decisions, are shown in the lower portion ofFIG. 12 and include:

-   -   (a) PITO signal 212;    -   (b) signal 328, indicating that an improperly encrypted command        was received by the aircraft (discussed above in Section        6.3.1.3);    -   (c) signal 216, from the anti-hunting algorithm of FIG. 10C,        indicating an excessive frequency of transitions between MAC        State 2 and MAC State 3; and    -   (d) three signals 354A, 354B and 354C from an algorithm which        seeks to detect unauthorized aircraft takeover by the detection        of a significant deviation from either (i) the expected aircraft        position based on the initially filed flight plan, or (ii) the        flight plan itself (see discussion of FIGS. 20A and 20B below)

These six signals flow to a second aircraft encoder which is identicalin function to (and may be a part of) encoder 410. The signals areencrypted, in a manner identical to the aircraft data signals of FIG.15, by encryption unit 348 which is identical in function to (and may bea part of) encryption unit 418. The three sources of encryptioninformation—key reading device 232, key generator 234 and received keysource 324C, generate signals 224A, 224B and 224C, respectively—alsoprovides input to encryption unit 348.

Signals 224A and 224B entering encryption unit 348 can also serve todisseminate either the manually loaded encryption key or the aircraftgenerated key. They may also be used to generate a sequence of nestedencryption keys, as discussed above in Section 3.2.1 and below inSection 6.6.

The output of encryption unit 348, encrypted signals related eitherdirectly or indirectly to MAC state transitions, or consisting ofencryption key(s) goes to the aircraft transmitter 332.

Three other inputs to the transmitter include:

-   -   (a) handshake signals 222, via block 316B, from the previous        point in the handshake cycle, the aircraft receiver;    -   (b) aircraft transmitter control signals 312, via block 338,        coming from the aircraft receiver; and    -   (c) three sources of signals which converge on block 336 and        enable the aircraft transmitter:        -   (i) signal 212, from the state-setting microprocessor 230,            indicating either PITO or RITO;        -   (ii) signal 354D, from microprocessor 730 (see below),            indicating aircraft deviation from expected position or            flight plan; and        -   (iii) signal 328, from microprocessor 330, indicating the            aircraft receipt of an improperly encrypted command.

Aircraft transmitter 332 outputs to one or more antenna(e) 334.

The possible addition of backup transmitters, render the communicationssystem more robust. (A similar role for backup receivers was discussedabove in Section 6.3.1.2.1.) Such additional transmitters would mostlikely be maintained in a standby mode, since multiple simultaneouslyoperating transmitters makes signal detection by an unauthorized personeasier. Each transmitter would have its own control circuits (analogousto block 338), controlled by individual sets ofnot-necessarily-identical transmitter control signals flowing from block310. The inputs to transmitter 332 shown in FIG. 12 would be distributedin parallel to each transmitter. The transmitters may share one or moreantennae, or may each have their own antenna(e).

6.5 Remote Control Center Receiver and Decoder

The RCC communications equipment includes the receiver and itsassociated decryption and decoding circuitry, and the transmitter andits associated encryption and encoding circuitry. The receiver and itsassociated components is discussed first. Many of the items and conceptsin this section parallel items and concepts in Section 6.3, the“Aircraft Receiver and Decoder.” Where appropriate, the parallel isindicated and the discussion is shortened.

6.5.1 Remote Control Center Receiver

The functions of the RCC receiver and its associated components include:

-   -   (a) receiving, decrypting and decoding data signals from the        controlled aircraft and distributing them to the appropriate        destination,    -   (b) participating in the handshaking process, and    -   (c) assessing the correctness of the encryption format for        incoming data.

As shown in FIG. 16B, incoming signals through antenna 502 reachreceiver 500. There may be one or more antenna for various types ofsignals. After appropriate signal demodulation and processing by meansthat are known in the art, encrypted RCC control signals reach block501. The signals 503 are distributed to two locations: (a) decryptionand decoding circuits, shown in FIG. 18, and (b) an encryptionassessment procedure, which runs on microprocessor 554 (FIG. 16A) andwhose logic is indicated by the flow diagram of FIG. 16C.

6.5.1.1 Decryption and Decoding of Signals Received by the RCC

FIG. 18 shows encrypted control signals 503, from the aircraft receiver,undergoing decryption at block 606. The encryption key is obtained fromone of two sources:

-   -   (a) from a RCC-based encryption key generator 523A (FIG. 17)        which sends the key as signals 524A to block 602, which supplies        the necessary encryption key to decryption device 606; and    -   (b) from the RCC receiver (discussed below) as signals 524B to        block 604, which supplies the necessary encryption key to        decryption device 606. As was discussed in the case of the        aircraft receiver, an initial encryption key must be supplied        from a source other than signals 524B from the RCC receiver,        e.g. from the RCC generator 523A, since the RCC receiver must        have a first encryption key before it can decrypt any signals        obtained by its receiver—including those which contain an        encryption key. Two alternatives are these: (a) using the        encryption key from a previous flight of this aircraft, or (b)        the non-secure approach of receiving the initial encryption key        via the aircraft receiver in a non-encrypted format.

The decrypted signals are supplied to decoder 600, which converts thecoded signals to aircraft related data signals. Each data signalcorresponds to an identical one sent from the aircraft. Accordingly,each of the blocks (shown on the sides of FIG. 18) which receives anoutput from the RCC decoder, corresponds to an identical block among theaircraft encoder inputs (shown on the sides of FIG. 15). The informationdepicted in these blocks, including aircraft position, velocity andorientation, video and audio information, engine and fuel informationand information about the outer controlling surfaces (e.g. the rudder)and the landing gear, is displayed by a bank of monitors in the remotecontrol center. By viewing these, and other information, a remotecontrol center pilot is able to fly aircraft 100.

Other information which the RCC-based pilot of aircraft 100 mightobserve includes information concerning the location of other nearbyaircraft; weather information; the location of an intercepting aircraft,if any, and its estimated time of arrival; and video information from anintercepting aircraft, if any.

Data related to the control of communications between the remote controlcenter and the aircraft, and the setting of the MAC state are sent fromthe decoder 600 to the RCC receiver router block 508, and then assignals 610 to the signal router 504 of FIG. 16B.

6.5.1.2 Aircraft Signal Router Output

Referring, now, to FIG. 16B, signal router 504 distributes nine groupsof signals:

The RCC receiver control signals 506, may be used to synchronize the RCCreceiver and the aircraft transmitter. This might be necessary ifchanges in channel or modulation scheme are part of an encryptionsystem. It also might be necessary in the event of an interruptedhandshake, which was followed by a change in aircraft transmitterfrequency or modulation which originated at the aircraft. Signals 506control RCC receiver control circuits 508, which control the RCCreceiver 500. In all other situations, the RCC receiver is controlledindependently by personnel in the RCC.

RCC transmitter control signals 512 flow from block 510 to the RCCtransmitter control block 562 shown in FIG. 17. The RCC transmittercontrol signals serve essentially the same purpose as the RCC receivercontrol signals, i.e. (a) they may support an encryption scheme, and (b)they may be part of the mechanism for an aircraft-based repair of aninterrupted handshake.

The RCC receiver memory, block 514A, archives all RCC data during aremote controlled flight.

The RCC receiver handshake block 516A sends signals 517 to the RCCtransmitter handshake block, as part of the handshaking loop describedin conjunction with the aircraft receiver.

Four of the outputs relate either directly or indirectly to actual orpossible changes in MAC state:

-   -   (a) block 517, indicating that a PITO has occurred, results in        signal 518 to microprocessor 554, which causes the RCC control        panel to show a message (or to deliver it in audio format)        indicating that PITO has occurred;    -   (b) block 526, indicating that the frequency of transitions        between MAC State 2 and MAC State 3 has exceeded a critical        value; This results in signal 528 to microprocessor 554 which        causes the RCC control panel to show a message (or to deliver it        in audio format) which says “CONSIDER TRANSMIT ‘SET MAC=3’” (see        earlier discussion of anti-hunting algorithm);    -   (c) block 530A, indicating an excessive deviation in either the        expected position of the aircraft, based on a previously filed        flight plan, or, an excessive deviation in the flight plan        itself; This results in signal 532 to microprocessor 554 which        causes the RCC control panel to show a message (or to deliver it        in audio format) which says “CONSIDER TRANSMIT ‘SET MAC=2’” (see        below);    -   (d) block 534, indicating that the aircraft has received an        improperly encrypted command. This scenario, discussed above in        Section 6.3.1.3, results in the display (and/or the        announcement) of either “SET TRANSMIT ‘SET MAC=3’” or “NOTIFY        PILOT AND SECURITY OFFICER.”

Router 504 also leads to block 523B which may provide one or moreencryption keys received via the RCC receiver. The received encryptionkey(s) are available as signals 524B to:

-   -   (a) microprocessor 554 (FIG. 16A) and the command encryption        assessment logic which runs on it (FIG. 16C);    -   (b) the RCC transmitter (FIG. 17);    -   (c) the RCC decryption and decoding circuits (FIG. 18); and    -   (d) the RCC encryption and encoding circuits (FIG. 19).        6.5.1.3 Remote Control Center Receiver Data Encryption        Assessment

As a means of further protecting the RCC against interference by anunauthorized person, each “data packet” that it receives is inspectedfor proper encryption formatting. The flow diagram which shows the logicfor this assessment is shown in FIG. 16C. The microprocessor on which itruns is shown in FIG. 16A. Examples of data packets would be (i) theamount of fuel remaining in the right wing tank, and (ii) the aircraftaltitude.

The pentagon symbol, used in a parallel circumstance in FIG. 11C is theformat for the current assessment. Pentagon 538 of FIG. 16C makes thestatement: “Using the information supplied by the encryption key(s), ifthe data packet 503 under assessment is encrypted properly, go to block540A; but go to block 540B if the data packet is not properlyencrypted.”

Each encrypted data packet 503 (coming from the RCC receiver in FIG.16B) is sampled as described immediately above. The standard for propercommand formatting is supplied. The standard for proper data packetformatting is supplied by the encryption key or keys from either of thetwo previously discussed sources, the RCC-based encryption source (block523A, FIG. 17) or the RCC receiver (block 523B, FIG. 16B).

A properly encrypted command leads from block 540A to decision block542A. If a remote controlled flight is already in progress, block 544Acorresponds to the display or announcement of the message “CONTINUEREMOTE CONTROL (see FIG. 16A),” indicating that remote controlcommunication is proceeding properly. The situation in which a datapacket is received from a flight that is not already remotely controlledwould be a properly encrypted Pilot Initiated Takeover Signal. Thiswould lead to box 546A which would result in (a) signal 548 to block 560(FIG. 17) enabling the RCC transmitter, and (b) display block 546B (FIG.16A) indicating the display and/or announcement of the message “PITORECEIVED.”

An improperly encrypted data packet leads to block 540B.

This condition has been discussed in Sections 6.3.1.3 and 6.5.1.2 above.

Microprocessor 554 shown in FIG. 16A supports the logic displayed inFIG. 16C. The inputs to the microprocessor are encryption key sources524A and 524B, encrypted data packets 503, received PITO signal 518,received anti-hunting algorithm output 528, signal 536 indicating thatthe aircraft receiver has received an improperly encrypted command, andsignal 532 indicating excessive deviation from expected aircraftposition or flight plan. The outputs of microprocessor 554 include fivemessages and a signal to enable the RCC transmitter, which have alreadybeen discussed.

6.6 RCC Encoder, Transmitter and Encryption Source

Many of the items and concepts in this section parallel items andconcepts in Section 6.4, as well as other sections. Where appropriate,the parallel is indicated and the discussion is shortened.

In order for a remote pilot to properly control aircraft 100, he or shemust be able to control all of the critical aircraft functions whichwould be controlled by an on-board pilot.

FIG. 19 illustrates some of the most important aircraft commands to besent, and the means for encoding and encrypting these commands. Each ofthe blocks (shown on the sides of FIG. 19) which sends an input from theRCC encoder, corresponds to an identical block among the aircraftdecoder outputs (shown on the sides of FIG. 14). The commands depictedin these blocks, include the control of the throttles, flaps and otheraircraft maneuvering means, the landing gear, cabin and cockpitconditions, and each of eight cameras previously discussed. Bycontrolling these, a remote control center pilot is able to fly aircraft100. The control panel, in the RCC, would ideally be set up to besimilar in appearance and ergonomics to an actual aircraft cabin.

Control signals for the aforementioned aircraft controls are encoded byRCC encoder 610. The encoded signals are then encrypted by RCCencryption unit 618. Block 618 has inputs from both the encoder and eachof the two possible RCC encryption key sources. The RCC-generatedsource, shown in FIG. 17, provides input 524A to block 612, which inputsthe encryption key to encryption unit 618. An encryption key receivedvia the RCC receiver provides input 524B to block 614, which also inputsencryption unit 618. The output of the encrypting unit, encrypted RCCcommands 616 is sent as signals 542, via block 543 which supplies theRCC memory 514B with transmitted information, to the RCC transmitter556, as shown in FIG. 17.

An additional group of six inputs destined for the RCC transmitter areshown in FIG. 17 and include:

-   -   (a) handshake signals 517, via block 516B, from the previous        point in the handshake cycle, the RCC receiver;    -   (b) RCC transmitter control signals 512, via block 562, coming        from the RCC receiver;    -   (c) two sources of signals which converge on block 560 and        enable the RCC transmitter:        -   (i) a signal from block 562A, indicating RITO; and        -   (ii) signal 548, from microprocessor 554, indicating the RCC            receipt of a PITO signal; and    -   (d) three signals 562A, 562B and 562C which allow the RCC to        change the MAC state, including the RITO signal, “SET MAC=2.”        These three signals flow to a second RCC encoder 564 which is        identical in function to (and may be a part of) encoder 610. The        signals are encrypted, in a manner identical to that of the        other RCC control signals of FIG. 19, by encryption unit 566        which is identical in function to (and may be a part of)        encryption unit 618. The two sources of encryption information,        key generator 523A and received key source 523B generate signals        524A and 524B respectively, which provide inputs to encryption        unit 566. The output of encryption unit 566, encrypted signals        related either directly or indirectly to MAC state transitions,        goes to the aircraft transmitter 556.

RCC transmitter 556 outputs to one or more antenna(e) 558. The possibleaddition of backup transmitters, as discussed in conjunction with theRCC transmitter, renders the communications system more robust.

The RCC-based encryption key source 523A shown in FIG. 17 is analogousto the aircraft-based source 234 shown in FIG. 10B. It inputs to:

-   -   (a) microprocessor 554, FIG. 16A;    -   (b) encryption formatting assessment flow diagram 16C;    -   (c) both RCC transmitter encryption units 566 (FIG. 17) and 618        (via block 612, FIG. 19); and    -   (d) RCC decryption unit 606 (via block 602, FIG. 18).

The fact that one of the aforementioned outputs of the RCC encryptiongenerator 524A becomes an input to RCC encryption unit 566 indicatesthree possible uses of the encryption key by RCC encryption unit 566:

-   -   (a) as previously indicated, for the encryption of signals 562A,        562B and 562C;    -   (b) for transmission of a non-encrypted version of the        encryption key, generated by encryption key source 523A; and    -   (c) for transmission of an encrypted version of the encryption        key, generated by encryption key source 523A. In this case, the        key used for encrypting the transmission would be a prior key        (e.g. the N^(th) key); the encrypted information being sent        would be the newly generated key (e.g. the [N+1]^(th) key).

A series of such nestings may produce a key encrypted by a prior keyencrypted by an even earlier key, and so on. This methodology, nestedencryption keys, is discussed in Section 3.2.1.

6.7 Flight Path Deviation Detection

FIG. 20B shows a flow diagram for the detection of significantdeviations in flight plan of aircraft 100. FIG. 20A shows themicroprocessor on which the flow diagram runs, its inputs and itsoutputs.

There are two algorithms which run in parallel. The first one looks atwhere an aircraft should be based on its initial flight plan 700 and allof the updates to the flight plan 703A, and compares this to where theaircraft actually is, based on G.P.S. readings 704. This comparison iscarried out in FIG. 20B by pentagon 708. Its format is similar to thepentagon format previously discussed in conjunction with FIGS. 10C, 11Cand 16C. If the actual aircraft position has not excessively deviatedfrom the expected position, the left lower output of pentagon 708indicates that there is no action taken other than to continue runningthe algorithm. In the event of excess deviation, indicated by the rightlower output of pentagon 708 to block 706B, the aircraft transmitter isenabled by signal 354D, and block 710 indicates the generation of a“CONSIDER RITO” signal 354C which is transmitted to the RCC.

The second algorithm looks for a sudden, excessive deviation in theflight plan. To do this it compares any update to the flight plan(update #N, block 703C) with both: (a) the initial flight plan 700, and(b) each previous update (update #1 through #N−1, block 703B). Pentagon712 performs this evaluation. If there is no sudden deviation, the lowerright output of the pentagon, monitoring continues without any specificaction. If there is sudden deviation, the lower left output of thepentagon signals block 706B, the aircraft transmitter is enabled bysignal 354D, and block 710 indicates the generation of a “CONSIDER RITO”signal 354C which is transmitted to the RCC.

The filing of the initial flight plan 700 or an update 702 leads toblock 706A which enables the aircraft transmitter with signal 354D. Theinitial flight plan is transmitted to the RCC as signal 354A, updates assignal 354B.

FIG. 20A shows the microprocessor 730 which runs the algorithm. Itsinputs are the flight plans and the G.P.S. signals. Its outputs forpassing along the flight plans (signals 354A and 354B), a signal 354Dfor enabling the aircraft transmitter, and a signal 354C fortransmitting a CONSIDER RITO message.

An alternate embodiment of the invention would place the microprocessorwhich runs this algorithm in the RCC instead of on the controlledaircraft.

There has thus been shown and described a novel system for assuming andmaintaining secure remote control of an aircraft which fulfills all theobjects and advantages sought therefor. Many changes, modifications,variations and other uses and applications of the subject inventionwill, however, become apparent to those skilled in the art afterconsidering this specification and the accompanying drawings whichdisclose the preferred embodiments thereof. All such changes,modifications, variations and other uses and applications which do notdepart from the spirit and scope of the invention are deemed to becovered by the invention, which is to be limited only by the claimswhich follow.

1. A method of assuming and maintaining secure control of an aircraft inthe event of an attack upon, or incapacity of, a pilot of the aircraft,said method comprising the steps of: (a) providing a secure transmissionlink by and between first transmitting and receiving means (“first T/Rmeans”) on a first aircraft and second transmitting and receiving means(“second T/R means”) at a location remote from the first aircraft,thereby permitting secure communication between said first aircraft andsaid remote location; (b) initiating and executing a command to preventon-board control of the flight of said first aircraft by any personnelon said first aircraft and transmitting said command from one of saidfirst aircraft and said remote location to the other; (c) transmittingflight data from said first aircraft to said remote location via saidtransmission link; (d) transmitting flight control data from said remotelocation to said first aircraft via said transmission link; and (e)manually piloting said first aircraft by remote control from said remotelocation to actuate aerodynamic control surfaces of said first aircraftin substantially real time to control the flight of the first aircraftwithout guidance of an autopilot, until the need for said remote pilotcontrol has ended or until said first aircraft has landed safely.
 2. Themethod defined in claim 1, wherein said command is initiated by pressinga button in a cockpit of said first aircraft.
 3. The method defined inclaim 1, wherein said command is initiated by speaking a voice word. 4.The method defined in claim 3, further comprising the step ofdetermining whether the voice word is spoken by an authorized person andinitiating said command only if it is spoken by said authorized person.5. The method defined in claim 3, further comprising the step ofdetermining whether a certain word is spoken, and initiating saidcommand only if said word is spoken.
 6. The method defined in claim 5,wherein said word is changed from time to time.
 7. The method defined inclaim 1, wherein said command is initiated by inputting a certainalphanumeric code by means of an input device in the first aircraft. 8.The method defined in claim 7, wherein said code is changed from time totime.
 9. The method defined in claim 1, wherein said command isinitiated off-site of said first aircraft.
 10. The method defined inclaim 9, wherein said command is initiated off-site of said firstaircraft when requested by an authorized person.
 11. The method definedin claim 9, wherein said command is initiated when Air Traffic Controlsuspects that said pilot is unable to properly control the firstaircraft.
 12. The method defined in claim 9, wherein said command isinitiated when the first aircraft deviates from an expected flight path.13. The method defined in claim 9, wherein audio sounds in the firstaircraft are transmitted to said remote location via said first andsecond T/R means and wherein said command is initiated when such soundsindicate that said pilot is unable to properly control the firstaircraft.
 14. The method defined in claim 9, wherein video in the firstaircraft is transmitted to said remote location via said first andsecond T/R means and wherein said command is initiated when such videoindicates that said pilot is unable to properly control the firstaircraft.
 15. The method defined in claim 9, wherein a second aircraftflies within the vicinity of said first aircraft and wherein saidcommand is initiated when said second aircraft informs the remotelocation of an irregularity.
 16. The method defined in claim 1, whereina second aircraft flies in the vicinity of said first aircraft, saidsecond aircraft having third transmitting and receiving means (third TIRmeans) for communicating with said second T/R means at said remotelocation and fourth transmitting and receiving means (fourth T/R means)for communicating with said first T/R means on said first aircraft,whereby said second aircraft serves as a repeater station forcommunications between the remote location and said first aircraft. 17.The method defined in claim 16, wherein said first T/R means on saidfirst aircraft include means for transmitting and receivingpreferentially in the direction of said second aircraft.
 18. The methoddefined in claim 17, wherein said preferential direction transmittingand receiving means include a directional RF antenna.
 19. The methoddefined in claim 17, wherein said preferential direction transmittingand receiving means include laser transmitting apparatus.
 20. The methoddefined in claim 17, wherein said preferential direction transmittingand receiving means include acoustic transmitting apparatus.
 21. Themethod defined in claim 16, wherein said fourth T/R means on said secondaircraft include means for transmitting and receiving preferentially inthe direction of said first aircraft.
 22. The method defined in claim21, wherein said preferential direction transmitting and receiving meansinclude a directional RF antenna.
 23. The method defined in claim 21,wherein said preferential direction transmitting and receiving meansinclude laser transmitting apparatus.
 24. The method defined in claim21, wherein said preferential direction transmitting and receiving meansinclude acoustic transmitting apparatus.
 25. The method defined in claim16, wherein a satellite is located in orbit above the earth, saidsatellite having seventh transmitting and receiving means (seventh T/Rmeans) for communicating with said third T/R means on said secondaircraft and eighth transmitting and receiving means (eighth T/R means)for communicating with said second T/R means at said remote location,wherein said satellite relays communications between said secondaircraft and said remote location and said second aircraft relayscommunications between said satellite and said first aircraft.
 26. Themethod defined in claim 16, wherein said first aircraft has means forreducing the sensitivity of receipt of signals from the second aircraft,when the first and second aircraft are in close proximity.
 27. Themethod defined in claim 1, wherein a second aircraft flies in thevicinity of said first aircraft, said second aircraft incorporating theremote location for control of said first aircraft and having saidsecond T/R means for communicating with said first T/R means on saidfirst aircraft.
 28. The method defined in claim 27, wherein said secondaircraft comprises a flight control station to enable a substitute pilotaboard said second aircraft to control said first aircraft.
 29. Themethod defined in claim 27, wherein said first T/R means on said firstaircraft include means for transmitting and receiving preferentially inthe direction of said second aircraft.
 30. The method defined in claim29, wherein said preferential direction transmitting and receiving meansinclude a directional RF antenna.
 31. The method defined in claim 29,wherein said preferential direction transmitting and receiving meansinclude acoustic transmitting apparatus.
 32. The method defined in claim29, wherein said preferential direction transmitting and receiving meansinclude laser transmitting apparatus.
 33. The method defined in claim27, wherein said second T/R means on said second aircraft include meansfor transmitting and receiving preferentially in the direction of saidfirst aircraft.
 34. The method defined in claim 33, wherein saidpreferential direction transmitting and receiving means include adirectional RF antenna.
 35. The method defined in claim 33, wherein saidpreferential direction transmitting and receiving means include lasertransmitting apparatus.
 36. The method defined in claim 33, wherein saidpreferential direction transmitting and receiving means include acoustictransmitting apparatus.
 37. The method defined in claim 1, wherein theflight data transmitted to said remote location and the control datatransmitted to said first aircraft are encrypted using at least oneencryption key, and further comprising the step of providing said atleast one encryption key to said first aircraft and to said remotelocation.
 38. The method defined in claim 37, wherein said at least oneencryption key is provided to said first aircraft while at an airportprior to take-off for the flight.
 39. The method defined in claim 38,further comprising the step of providing an updated encryption key tosaid first aircraft and to said remote location during the flight ofsaid first aircraft.
 40. The method defined in claim 39, wherein saidupdated encryption key is encrypted using at least one of the encryptionkeys previously provided to said first aircraft.
 41. The method definedin claim 37, wherein said at least one encryption key is generated atsaid airport and is provided to both said first aircraft and to saidremote location.
 42. The method defined in claim 37, wherein said atleast one encryption key is generated on said first aircraft and isprovided to said remote location.
 43. The method defined in claim 37,wherein said at least one key is generated at said remote location andis provided to said first aircraft.
 44. The method defined in claim 37,wherein said at least one encryption key is stored on at least onestorage medium and said step of providing said encryption key comprisesthe step of supplying said storage medium to at least one of said firstaircraft and said remote location, whereby said storage medium is themeans by which the key is provided to said at least one of said firstaircraft and said remote location.
 45. The method defined in claim 37,further comprising the step of alerting at least one of an onboard pilotand personnel at the remote location if any one of said command forpreventing onboard control of said aircraft, said flight data and saidcontrol data are improperly encrypted.
 46. The method defined in claim1, wherein a satellite is located in orbit above the earth, saidsatellite having fifth transmitting and receiving means (fifth T/Rmeans) for communicating with said first T/R means on said firstaircraft and sixth transmitting and receiving means (sixth T/R means)for communicating with said second T/R means at said remote location,wherein said satellite relays communications between said first aircraftand said remote location.
 47. The method defined in claim 46, whereinsaid remote location is attached to the earth.
 48. The method defined inclaim 46, wherein said remote location is aboard a second aircraft. 49.The method defined in claim 46, wherein the flight data transmitted tosaid remote location and the control data transmitted to said firstaircraft are encrypted using at least one encryption key.
 50. The methoddefined in claim 49, further comprising the step of providing said atleast one encryption key from said satellite to said first aircraft andto said remote location prior to or during the flight of said firstaircraft.
 51. The method defined in claim 49, further comprising thestep of providing said at least one encryption key from said remotelocation to said first aircraft via said satellite prior to or duringthe flight of said first aircraft.
 52. The method defined in claim 49,further comprising the step of providing said at least one encryptionkey from said first aircraft to said remote location via said satelliteprior to or during the flight of said first aircraft.
 53. The methoddefined in claim 46, wherein first T/R means on said first aircraftincludes an antenna with a radiation pattern directed upwardly only,said antenna directing communication signals to and from the fifth T/Rmeans on said satellite and not toward the ground.
 54. The methoddefined in claim 53, wherein said first T/R means on said first aircraftand said fifth T/R means on said satellite communicate with each othervia a highly directional beam.
 55. The method defined in claim 54,wherein said first aircraft transmits, and said satellite receivesinformation about the position of said first aircraft, and saidsatellite includes means for orienting its antenna in the direction ofsaid first aircraft in response to said position information.
 56. Themethod defined in claim 54, wherein said first aircraft transmits, andsaid satellite receives information about the position of said firstaircraft, and said first aircraft includes means for orienting itsantenna in the direction of said satellite in response to said positioninformation.
 57. The method defined in claim 46, wherein said second T/Rmeans at the remote location and said sixth T/R means on said satellitecommunicate with each other via a highly directional beam.
 58. Themethod defined in claim 1, wherein the first aircraft includes anautopilot device for automatically controlling the first aircraft, saidmethod further comprising the step of switching control to the autopilotdevice, after said command is initiated during any time that the remotepilot control of the first aircraft may not be safely maintained, forany reason.
 59. The method defined in claim 58, wherein control isautomatically switched to the autopilot device, after said command isinitiated, if transmission between the first aircraft and the remotelocation is interrupted for a prescribed period of time.
 60. The methoddefined in claim 58, further comprising the step of switching controlback to the onboard pilot of said first aircraft if the autopilot deviceand the remote pilot cannot safely maintain control of the firstaircraft for any reason.
 61. The method defined in claim 1, wherein saidfirst aircraft includes at least one video camera pointed in thedirection of flight, and said flight data includes at least one videoimage of the region of space in the forward flight path of the firstaircraft.
 62. The method defined in claim 1, wherein said remotelocation comprises a flight control station to permit a pilot at saidremote location to manually pilot said first aircraft.
 63. The methoddefined in claim 1, wherein the first aircraft includes an autopilotdevice for automatically controlling the first aircraft, said methodfurther comprising the step of switching control to the autopilotdevice, after said command is initiated, until the remote pilot controlof the first aircraft may be safely maintained.